This is an automated email from the ASF dual-hosted git repository.
andor pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 455b4c968 CVE-2023-44981
455b4c968 is described below
commit 455b4c968446cacb14d1ee829627af5739c42af6
Author: Andor Molnar <[email protected]>
AuthorDate: Wed Oct 11 14:03:59 2023 +0200
CVE-2023-44981
---
content/security.html | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/content/security.html b/content/security.html
index 33571b736..ad81f848e 100644
--- a/content/security.html
+++ b/content/security.html
@@ -96,11 +96,32 @@ target="_top">[email protected]</a>. In the
message, try to provide
<p>The ASF Security team maintains a page with a description of how
vulnerabilities are handled, check their <a
href="https://www.apache.org/security/";>Web page</a> for more information.</p>
<h2>Vulnerability reports</h2>
<ul>
+<li><a href="#CVE-2023-44981">CVE-2023-44981: Authorization bypass in SASL
Quorum Peer Authentication</a></li>
<li><a href="#CVE-2019-0201">CVE-2019-0201: Information disclosure
vulnerability in Apache ZooKeeper</a></li>
<li><a href="#CVE-2018-8012">CVE-2018-8012: Apache ZooKeeper Quorum Peer
mutual authentication</a></li>
<li><a href="#CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four
letter words (4lw)</a></li>
<li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in
ZooKeeper C cli shell</a></li>
</ul>
+<p><a name="CVE-2023-44981"></a></p>
+<h3>CVE-2023-44981: Authorization bypass in SASL Quorum Peer
Authentication</h3>
+<p>Severity: critical</p>
+<p>Affected versions:</p>
+<ul>
+<li>Apache ZooKeeper 3.9.0</li>
+<li>Apache ZooKeeper 3.8.0 through 3.8.2</li>
+<li>Apache ZooKeeper 3.7.0 through 3.7.1</li>
+<li>Apache ZooKeeper before 3.7.0</li>
+</ul>
+<p>Description:</p>
+<p>Authorization Bypass Through User-Controlled Key vulnerability in Apache
ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper
(quorum.auth.enableSasl=true), the authorization is done by verifying that the
instance part in SASL authentication ID is listed in zoo.cfg server list. The
instance part in SASL auth ID is optional and if it's missing, like
'[email protected]', the authorization check will be skipped. As a result an
arbitrary endpoint could join the cluster and [...]
+<p>Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which
fixes the issue.</p>
+<p>Alternately ensure the ensemble election/quorum communication is protected
by a firewall as this will mitigate the issue.</p>
+<p>See the documentation for more details on correct cluster
administration.</p>
+<p>Credit:</p>
+<p>Damien Diederen <a
href="mailto:ddiederen@apache.org">ddiederen@apache.org</a>
(reporter)</p>
+<p>References:</p>
+<p><a
href="https://zookeeper.apache.org/";>https://zookeeper.apache.org/</a></p>
+<p><a
href="https://www.cve.org/CVERecord?id=CVE-2023-44981";>https://www.cve.org/CVERecord?id=CVE-2023-44981</a></p>
<p><a name="CVE-2019-0201"></a></p>
<h3>CVE-2019-0201: Information disclosure vulnerability in Apache
ZooKeeper</h3>
<p>Severity: Critical</p>
@@ -108,7 +129,7 @@ target="_top">[email protected]</a>. In the
message, try to provide
<p>Versions Affected: ZooKeeper prior to 3.4.14 ZooKeeper 3.5.0-alpha through
3.5.4-beta. The unsupported ZooKeeper 1.x through 3.3.x versions may be also
affected.</p>
<p>Description: ZooKeeper’s getACL() command doesn’t check any permission when
retrieves the ACLs of the requested node and returns all information contained
in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads
the Id field with the hash value that is used for user authentication. As a
consequence, if Digest Authentication is in use, the unsalted hash value will
be disclosed by getACL() request for unauthenticated or unprivileged users.</p>
<p>Mitigation: Use an authentication method other than Digest (e.g. Kerberos)
or upgrade to 3.4.14 or later (3.5.5 or later if on the 3.5 branch).</p>
-<p>Credit: This issue was identified by Harrison Neal <a
href="mailto:harrison@patchadvisor.com">harrison@patchadvisor.com</a>
PatchAdvisor, Inc.</p>
+<p>Credit: This issue was identified by Harrison Neal <a
href="mailto:harrison@patchadvisor.com">harrison@patchadvisor.com</a>
PatchAdvisor, Inc.</p>
<p>References: https://issues.apache.org/jira/browse/ZOOKEEPER-1392</p>
<p><a name="CVE-2018-8012"></a></p>
<h3>CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</h3>
