From user-return-10747-apmail-zookeeper-user-archive=zookeeper.apache.org@zookeeper.apache.org Wed Feb 15 23:55:27 2017 Return-Path: X-Original-To: apmail-zookeeper-user-archive@www.apache.org Delivered-To: apmail-zookeeper-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E06BB1964F for ; Wed, 15 Feb 2017 23:55:27 +0000 (UTC) Received: (qmail 19654 invoked by uid 500); 15 Feb 2017 23:55:27 -0000 Delivered-To: apmail-zookeeper-user-archive@zookeeper.apache.org Received: (qmail 19596 invoked by uid 500); 15 Feb 2017 23:55:27 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 19191 invoked by uid 99); 15 Feb 2017 23:55:26 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Feb 2017 23:55:26 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 2F5061A0057 for ; Wed, 15 Feb 2017 23:55:26 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.498 X-Spam-Level: ** X-Spam-Status: No, score=2.498 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudera-com.20150623.gappssmtp.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id tHxgarZ5p057 for ; Wed, 15 Feb 2017 23:55:25 +0000 (UTC) Received: from mail-vk0-f48.google.com (mail-vk0-f48.google.com [209.85.213.48]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 655465FAE6 for ; Wed, 15 Feb 2017 23:55:24 +0000 (UTC) Received: by mail-vk0-f48.google.com with SMTP id k127so1220832vke.0 for ; Wed, 15 Feb 2017 15:55:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudera-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uzk1eGokftYrm/qC02g/UBqvz7X2I/DeBhoE+BMCdow=; b=FkYnT0awcXP0CBEbNTHlzuIuPSbuzJVJN++ReAI1/d01/Q+Dn+N4SmV6oWmW/rKYyh ah44ZJWAVI8m8h/HPNps9r3anGqFzpxZGBMX+dLCnS6P6kv6/Z6WgMHlxn1dbvzb6fUQ lsRinIJrekOQYLWWvybxWGdRLt4roWcM6Dht7bqePmRGv3A48fJeC0GtmFxv2W/v1DYj i2K1BiCyBAy1eHAMKk39gSzA+Yq7etn3hdCvHoGlUymf8gk7u1VKAjD576JQDx1sUPHA 4q7GPK9e5F3c2o1i2J7+2s3UDXGge49yxq9zH4v6gsDW4mxfb23q+lrPqyhnaE/PTeDa +Ztg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uzk1eGokftYrm/qC02g/UBqvz7X2I/DeBhoE+BMCdow=; b=s4SVSyoE1LkNpXu0qKQC3NHwRl+jw54T4TSsBozC9g+jdaUH+1R2WsJ+DZ6iT8VTwa Bp2wUg0BQtUH36yg9yrEq/XiFa6ppsR+fa423I9pArmypRoszwonSSGuHbJky7KbmNkB SIvMz5iRnMRRHvj47TsG6n15IblLowr+Pe3EO7Yo1dyJ9919PuLxgL/JiO7pUQ9Wurze oeMysqn0fgGhrIi4FQUS93pWhUGOhgnzh1gHJc6i/8CTlvYvNLd33YwSx+555SCsszd0 ze7boi4vAlTEpuRqlqXTMnPab/b+QIf2hovWnT7S4I00+hkwU+Xh71msOXhgTYE7y9gD IT6Q== X-Gm-Message-State: AMke39myQ85Z/+xNXPHNM0tTor3Vazz4fCZz7bNAQ/FzS+2oTGhbtdwGY3h8/ZRoCc3AiugsSGTTQ3ImhvhPFZeQ X-Received: by 10.31.30.151 with SMTP id e145mr18853778vke.171.1487202920336; Wed, 15 Feb 2017 15:55:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.176.5.170 with HTTP; Wed, 15 Feb 2017 15:54:49 -0800 (PST) In-Reply-To: References: From: Michael Han Date: Wed, 15 Feb 2017 15:54:49 -0800 Message-ID: Subject: Re: ZooKeeper DOS exploit published To: dev@zookeeper.apache.org Cc: UserZooKeeper Content-Type: multipart/alternative; boundary=001a11426616c6ae3a05489a69e0 --001a11426616c6ae3a05489a69e0 Content-Type: text/plain; charset=UTF-8 I have a patch for https://issues.apache.org/jira/browse/ZOOKEEPER-2693 (pull request 179 ). Feedback will be highly appreciated. It would be good that we can get this in a few days as it is both a security fix and a blocker for two ongoing releases (3.4.10/3.5.3). On Mon, Feb 13, 2017 at 7:37 PM, Patrick Hunt wrote: > Hi folks. The following exploit was recently published on the web and has > come to our attention, it details a ZooKeeper DOS attack against certain > four letter words (4lw), possible when the client port is exposed to > untrusted actors: > > https://webcache.googleusercontent.com/search? > q=cache:_CNGIz10PRYJ:https:// > www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us > > Typically we address security issues on the security@ private mailing > list, > publishing a fixed release before publicly releasing the exploit, however > in this case given the information is publicly available already we decided > there's little point to keeping it on security@ exclusively. > http://zookeeper.apache.org/security.html > > A JIRA has been created to track this issue: > https://issues.apache.org/jira/browse/ZOOKEEPER-2693 > we expect to include a patch to address in 3.4.10 and 3.5.3. > > Patrick > -- Cheers Michael. --001a11426616c6ae3a05489a69e0--