From user-return-12047-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Sat Aug 10 07:31:28 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 57D68180607 for ; Sat, 10 Aug 2019 09:31:28 +0200 (CEST) Received: (qmail 61406 invoked by uid 500); 10 Aug 2019 07:31:27 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 61394 invoked by uid 99); 10 Aug 2019 07:31:26 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 Aug 2019 07:31:26 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 381CA1811E6 for ; Sat, 10 Aug 2019 07:31:26 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.801 X-Spam-Level: * X-Spam-Status: No, score=1.801 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudera.com Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id g-yMTHSQkkk2 for ; Sat, 10 Aug 2019 07:31:23 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.215.195; helo=mail-pg1-f195.google.com; envelope-from=nkalmar@cloudera.com; receiver= Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id 3C0D8BC7F0 for ; Sat, 10 Aug 2019 07:31:23 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id w10so46947754pgj.7 for ; Sat, 10 Aug 2019 00:31:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=OQHYswlPFV6yRAfMBcf0zFfstG7yROXtOXfBR0DivW4=; b=cFHYLwcMkfvQf6Mm+AV0UlTUdfHWnwDx6qziyXEc7urQOzLe1Uz9ZbgRKrMv5EvSpF B8y8nt7uQSETQ3wFZTYCMWteLWkuvPljsi5REPKis45PH3tJ92pbOpqJscmeq1cEYShv euE2/XIKQdhmJCnEGWH7abrAEz5BEI6ZIXHoFpvNfnYh/8STG8bnNaFkQlI7vQWBZBNI ApszjN7SqRVcoJ0jzBsWjKLbmfzlRVtgedA2W7V2e05YwHwYg9xyN3jlqRleUenYELKq wW0Tnxc5fpfDyxMtMtBUrxd0MCBSXJ9tfNKiGQqraGVv80roPF0fxPJkGFplR0qFeg0X 2qkA== X-Gm-Message-State: APjAAAWXCAY4RIrjYo/Qjuj7pcLMkNUeAd4G+MXFjpIImOeJK/Fju5gj j8RxkBvlUGyGtc26qJLf6lywZbu/oBedcjMkrjEF8pHY+7o= X-Google-Smtp-Source: APXvYqyk4nXIYLCmCzr0H9Cq47t7gVXBJFJ99PTfANPBzL+UWSTkGVA5x4PRCTj5uOi2u2B1KopEzZqi7erSRPvMUH4= X-Received: by 2002:a17:90a:8c0c:: with SMTP id a12mr13277827pjo.67.1565422282005; Sat, 10 Aug 2019 00:31:22 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Norbert Kalmar Date: Sat, 10 Aug 2019 09:31:06 +0200 Message-ID: Subject: Re: An Apache Zookeeper Security Vulnerability To: user@zookeeper.apache.org Content-Type: multipart/alternative; boundary="0000000000000afd5a058fbe4740" --0000000000000afd5a058fbe4740 Content-Type: text/plain; charset="UTF-8" Hello Xiaoqin, My understanding is that log guards is used for performance reasons. I don't see how it can prevent information leakage. I'd also like to add, that please use the security mailing list first if you think you found a CVE. - security@zookeeper.apache.org More info here: https://zookeeper.apache.org/security.html Thank you! Regards, Norbert On Sat, Aug 10, 2019 at 1:31 AM Patrick Hunt wrote: > On Fri, Aug 9, 2019 at 9:34 AM Enrico Olivelli > wrote: > > > Those points do not seem a security issue > > > > > Agree. First off the data is not sensitive. Also it's debug level and > logged on the server. See > https://issues.apache.org/jira/browse/ZOOKEEPER-3488 - similar situation > although in this case debug is not the default - user would actively have > to turn this on. > > Patrick > > > > > > Enrico > > > > > > Il ven 9 ago 2019, 17:52 Fu, Xiaoqin ha scritto: > > > > > Dear developers: > > > I am a Ph.D. student at Washington State University. I applied > > > dynamic taint analyzer (distTaint) to Apache Zookeeper (version > 3.4.11). > > > And then I find a security vulnerability, that exists from > 3.4.11-3.4.14 > > > and 3.5.5, from tainted paths. > > > > > > Possible information leakage from FileTxnSnapLog to log without LOG > > > control LOG.isDebugEnabled(): > > > In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the > statement > > > LOG.debug don't have LOG controls: > > > public void processTransaction(TxnHeader hdr,DataTree dt, > > > Map sessions, Record txn) > > > throws KeeperException.NoNodeException { > > > ...... > > > if (rc.err != Code.OK.intValue()) { > > > LOG.debug("Ignoring processTxn failure hdr:" + > hdr.getType() > > > + ", error: " + rc.err + ", path: " + rc.path); > > > } > > > ...... > > > } > > > > > > Sensitive information about hdr type or rc path may be leaked. The > > > conditional statement LOG.isDebugEnabled() should be added: > > > public void processTransaction(TxnHeader hdr,DataTree dt, > > > Map sessions, Record txn) > > > throws KeeperException.NoNodeException { > > > ...... > > > if (rc.err != Code.OK.intValue()) { > > > if (LOG.isDebugEnabled()) > > > LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType() > > > + ", error: " + rc.err + ", path: " + rc.path); > > > } > > > ...... > > > } > > > Please help me confirm it and give it a CVE ID. > > > > > > Thank you very much! > > > Yours sincerely > > > Xiaoqin Fu > > > > > > > > > --0000000000000afd5a058fbe4740--