[
https://issues.apache.org/jira/browse/ZOOKEEPER-1917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13980337#comment-13980337
]
Michi Mutsuzaki commented on ZOOKEEPER-1917:
--------------------------------------------
I asked for more details on the original bug and got an email from Red Hat
Security Response Team.
https://bugzilla.redhat.com/show_bug.cgi?id=1067265
The original bug is *not* about ACL password. Some applications use ZooKeeper
to store their passwords (like in a znode "/my/password"), and the transaction
log files are not encrypted, so if you have read permission, you can see the
password stored in the znode. Their fix is to encrypt the password before
storing it in ZooKeeper.
> Apache Zookeeper logs cleartext admin passwords
> -----------------------------------------------
>
> Key: ZOOKEEPER-1917
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1917
> Project: ZooKeeper
> Issue Type: Bug
> Reporter: Flavio Junqueira
> Priority: Blocker
> Fix For: 3.4.7, 3.5.0
>
>
> Check the CVE entry for a description:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
--
This message was sent by Atlassian JIRA
(v6.2#6252)
