[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867079#comment-15867079
]
Patrick Hunt commented on ZOOKEEPER-2693:
-----------------------------------------
I looked at the patch. It is reasonable, but I don't think we can go with an
all/nothing approach, many users would still want to be able to monitor their
system using existing 4lw based infra, while mitigating the attack, and this
doesn't allow any middle ground.
How about on/off as you have in the current patch, but also allow a list of
"whitelisted" 4lw - the default could be "ruok" and "srvr" or something of that
nature. Notice we are building the list today here FourLetterCommands, and
could build a list containing the configured whitelist instead? What do you
think.
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
