[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873191#comment-15873191
]
Mohammad Arshad commented on ZOOKEEPER-2693:
--------------------------------------------
bq. 3.4: ruok,srvr,crst,srst,isro,mntr, 3.5: <empty>
There are some 4lw commands which ZooKeeper is using by itself
For example
# srvr is used in zookeeper/bin/zkServer.sh status
# isro is used in org.apache.zookeeper.ClientCnxn.SendThread.pingRwServer()
If we do not enable those commands by default, related funtionalities will not
work, so we have to include in the default list
But if we enable, I do not know if whole purpose of this fix is defeated
because the attacker can call the these commands, even though we are not doing
much work in these commands but still the connections will be created for every
call.
Any comments on which option to choose?
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
