Author: fpj
Date: Fri Sep 16 19:00:44 2016
New Revision: 1761070
URL: http://svn.apache.org/viewvc?rev=1761070&view=rev
Log:
Edits to the Apache ZooKeeper security page.
Modified:
zookeeper/site/trunk/content/security.textile
Modified: zookeeper/site/trunk/content/security.textile
URL:
http://svn.apache.org/viewvc/zookeeper/site/trunk/content/security.textile?rev=1761070&r1=1761069&r2=1761070&view=diff
==============================================================================
--- zookeeper/site/trunk/content/security.textile (original)
+++ zookeeper/site/trunk/content/security.textile Fri Sep 16 19:00:44 2016
@@ -20,5 +20,58 @@ h1. ZooKeeper Security
The Apache Software Foundation takes security issues very seriously. Due to
the infrastructure nature of the Apache ZooKeeper project specifically, we
haven't had many reports over time, but it doesn't mean that we haven't had
concerns over some bugs and vulnerabilities. If you have any concern or believe
you have uncovered a vulnerability, we suggest that you get in touch via the
e-mail address <a href="mailto:secur...@zookeeper.apache.org?Subject=[SECURITY]
My security issue" target="_top">secur...@zookeeper.apache.org</a>. In the
message, try to provide a description of the issue and ideally a way of
reproducing it. Note that this security address should be used only for
undisclosed vulnerabilities. Dealing with fixed issues should be handled
regularly via the user and the dev lists. **Please report any security problems
to the project security address before disclosing it publicly.**
-The ASF Security team maintains a page with a description of how
vulnerabilities are handled, check their <a
href="http://www.apache.org/security/";>Web page</a> for more information.
+The ASF Security team maintains a page with a description of how
vulnerabilities are handled, check their <a
href="http://www.apache.org/security/";>Web page</a> for more information.
+
+h2. Vulnerability reports
+
+* "CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli
shell":#CVE-2016-5017
+
+
+h3(#CVE-2016-5017). CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper
C cli shell
+
+Severity: moderate
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+ZooKeeper 3.4.0 to 3.4.8
+ZooKeeper 3.5.0 to 3.5.2
+The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected
+
+Note: The 3.5 branch is still alpha at this time.
+
+Description:
+The ZooKeeper C client shells "cli_st" and "cli_mt" have a buffer
+overflow vulnerability associated with parsing of the input command
+when using the "cmd:<cmd>" batch mode syntax. If the command string
+exceeds 1024 characters a buffer overflow will occur. There is no
+known compromise which takes advantage of this vulnerability, and if
+security is enabled the attacker would be limited by client level
+security constraints. The C cli shell is intended as a sample/example
+of how to use the C client interface, not as a production tool - the
+documentation has also been clarified on this point.
+
+Mitigation:
+It is important to use the fully featured/supported Java cli shell rather
+than the C cli shell independent of version.
+
+- ZooKeeper 3.4.x users should upgrade to 3.4.9 or apply this "patch":
+https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=27ecf981a15554dc8e64a28630af7a5c9e2bdf4f
+
+- ZooKeeper 3.5.x users should upgrade to 3.5.3 when released or apply
+this "patch":
+https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=f09154d6648eeb4ec5e1ac8a2bacbd2f8c87c14a
+
+The patch solves the problem reported here, but it does not make the
+client ready for production use. The community has no plan to make
+this client production ready at this time, and strongly recommends that
+users move to the Java cli and use the C cli for illustration purposes only.
+
+
+Credit:
+This issue was discovered by Lyon Yang, an Apple security researcher.
+
+References:
+"Apache ZooKeeper Security Page":https://zookeeper.apache.org/security.html
