I think I know what they are talking about. Let me try to reproduce it, it might give us a bit more clarity on the matter.
-Flavio -----Original Message----- From: Patrick Hunt [mailto:[email protected]] Sent: Tuesday, April 22, 2014 7:47 PM To: DevZooKeeper Cc: Michi Mutsuzaki Subject: Re: ZK CVE Hm. Well the txnlogs didn't make much sense to me. If you have that level of access, well they you've got access to everything regardless. Shouldn't/wouldn't those files be protected by permissions on the datadir? Also, which "password" are we storing in the txnlog? The session password or truly the admin password. Patrick On Tue, Apr 22, 2014 at 11:04 AM, Flavio Junqueira <[email protected]> wrote: > I've created ZK-1917 for this. > > I think it is referring to the txn logs. If so, SSL encryption alone isn't > going to do it. > > -Flavio > > On 22 Apr 2014, at 18:55, Patrick Hunt <[email protected]> wrote: > >> On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <[email protected]> >> wrote: >>> That's a great idea. >>> >>> The link talks about one specific vulnerability (password being >>> logged in a cleartext :( ), but I'm interested in securing ZooKeeper >>> in general. I've seen projects staying away from ZooKeeper because >>> it doesn't support SSL, for example. >>> >> >> That was one of the reasons why we were trying to add netty support - >> it would greatly simplify enabling SSL encryption. >> >> Patrick >> >>> >>> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <[email protected]> wrote: >>>> Some of you may have noticed that there is a CVE entry for ZK: >>>> >>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085 >>>> >>>> I've never perceived ZK as a project particularly strong on the >>>> security side, but I was wondering how folks in the list feel about >>>> creating a jira and working something out. >>>> >>>> -Flavio >
