[jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)

Wed, 15 Feb 2017 07:34:39 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15868035#comment-15868035
 ] 

Patrick Hunt commented on ZOOKEEPER-2693:
-----------------------------------------

That makes sense to me (scoping). What will the default list of 4lw be?

3.4: ruok,srvr,crst,srst,isro,mntr
3.5: <empty>

Note: the full list of supported commands is different from 3.4 to 3.5 
(possibly trunk?) - we'll need to ensure the docs reflect correctly.

Do you think that makes sense? From what I can see these are low cost lookups. 
Some of the items I left off are more expensive or questionable in terms of 
whether they should be exposed if a firewall is not used.

Or should 3.4 include all commands aside from the two identified in this jira? 
I'm thinking be safe (smaller list), document this clearly in the docs and in 
the release notes, and allow the users interesting in exposing more 4lw to do 
so. Downside is that users may be impacted, i.e. would have to update 
production configurations.

What should we call this? zookeeper.4lw.commands.whitelist ?

We'll need to verify the list; 4 letters, from the possible set of commands 
available.

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK 
> client port - typically 2181. The following POC attack was recently published 
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to 
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service 
> and only allow access to trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to