This is an automated email from the ASF dual-hosted git repository.
andor pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/asf-site by this push:
new c07c00495 CVE-2024-23944
c07c00495 is described below
commit c07c004955cd680ae4e0c57b2857c2fe0fe5f128
Author: Andor Molnar <[email protected]>
AuthorDate: Thu Mar 14 11:07:26 2024 -0500
CVE-2024-23944
---
content/security.html | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/content/security.html b/content/security.html
index 376b34111..726a0d188 100644
--- a/content/security.html
+++ b/content/security.html
@@ -96,12 +96,29 @@ target="_top">[email protected]</a>. In the
message, try to provide
<p>The ASF Security team maintains a page with a description of how
vulnerabilities are handled, check their <a
href="https://www.apache.org/security/";>Web page</a> for more information.</p>
<h2>Vulnerability reports</h2>
<ul>
+<li><a href="#CVE-2024-23944">CVE-2024-23944: Information disclosure in
persistent watcher handling</a></li>
<li><a href="#CVE-2023-44981">CVE-2023-44981: Authorization bypass in SASL
Quorum Peer Authentication</a></li>
<li><a href="#CVE-2019-0201">CVE-2019-0201: Information disclosure
vulnerability in Apache ZooKeeper</a></li>
<li><a href="#CVE-2018-8012">CVE-2018-8012: Apache ZooKeeper Quorum Peer
mutual authentication</a></li>
<li><a href="#CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four
letter words (4lw)</a></li>
<li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in
ZooKeeper C cli shell</a></li>
</ul>
+<p><a name="CVE-2024-23944"></a></p>
+<h3>CVE-2024-23944: Information disclosure in persistent watcher handling</h3>
+<p>Severity: critical</p>
+<p>Affected versions:</p>
+<ul>
+<li>Apache ZooKeeper 3.9.0 through 3.9.1</li>
+<li>Apache ZooKeeper 3.8.0 through 3.8.3</li>
+<li>Apache ZooKeeper 3.6.0 through 3.7.2</li>
+</ul>
+<p>Description:</p>
+<p>Information disclosure in persistent watchers handling in Apache ZooKeeper
due to missing ACL check. It allows an attacker to monitor child znodes by
attaching a persistent watcher (addWatch command) to a parent which the
attacker has already access to. ZooKeeper server doesn't do ACL check when the
persistent watcher is triggered and as a consequence, the full path of znodes
that a watch event gets triggered upon is exposed to the owner of the watcher.
It's important to note that onl [...]
+<p>Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the
issue.</p>
+<p>Credit:</p>
+<p>周吉安(寒泉) <a
href="mailto:zhoujian.zja@alibaba-inc.com">zhoujian.zja@alibaba-inc.com</a>
(reporter)</p>
+<p>References:</p>
+<p><a href="https://zookeeper.apache.org/";>https://zookeeper.apache.org/</a>
<a
href="https://www.cve.org/CVERecord?id=CVE-2024-23944";>https://www.cve.org/CVERecord?id=CVE-2024-23944</a></p>
<p><a name="CVE-2023-44981"></a></p>
<h3>CVE-2023-44981: Authorization bypass in SASL Quorum Peer
Authentication</h3>
<p>Severity: critical</p>
@@ -118,7 +135,7 @@ target="_top">[email protected]</a>. In the
message, try to provide
<p>Alternately ensure the ensemble election/quorum communication is protected
by a firewall as this will mitigate the issue.</p>
<p>See the documentation for more details on correct cluster
administration.</p>
<p>Credit:</p>
-<p>Damien Diederen <a
href="mailto:ddiederen@apache.org">ddiederen@apache.org</a>
(reporter)</p>
+<p>Damien Diederen <a
href="mailto:ddiederen@apache.org">ddiederen@apache.org</a>
(reporter)</p>
<p>References:</p>
<p><a
href="https://zookeeper.apache.org/";>https://zookeeper.apache.org/</a></p>
<p><a
href="https://www.cve.org/CVERecord?id=CVE-2023-44981";>https://www.cve.org/CVERecord?id=CVE-2023-44981</a></p>
@@ -129,7 +146,7 @@ target="_top">[email protected]</a>. In the
message, try to provide
<p>Versions Affected: ZooKeeper prior to 3.4.14 ZooKeeper 3.5.0-alpha through
3.5.4-beta. The unsupported ZooKeeper 1.x through 3.3.x versions may be also
affected.</p>
<p>Description: ZooKeeper’s getACL() command doesn’t check any permission when
retrieves the ACLs of the requested node and returns all information contained
in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads
the Id field with the hash value that is used for user authentication. As a
consequence, if Digest Authentication is in use, the unsalted hash value will
be disclosed by getACL() request for unauthenticated or unprivileged users.</p>
<p>Mitigation: Use an authentication method other than Digest (e.g. Kerberos)
or upgrade to 3.4.14 or later (3.5.5 or later if on the 3.5 branch).</p>
-<p>Credit: This issue was identified by Harrison Neal <a
href="mailto:harrison@patchadvisor.com">harrison@patchadvisor.com</a>
PatchAdvisor, Inc.</p>
+<p>Credit: This issue was identified by Harrison Neal <a
href="mailto:harrison@patchadvisor.com">harrison@patchadvisor.com</a>
PatchAdvisor, Inc.</p>
<p>References: https://issues.apache.org/jira/browse/ZOOKEEPER-1392</p>
<p><a name="CVE-2018-8012"></a></p>
<h3>CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</h3>
