[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876406#comment-15876406
]
ASF GitHub Bot commented on ZOOKEEPER-2693:
-------------------------------------------
Github user hanm commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/179#discussion_r102275734
--- Diff: src/java/main/org/apache/zookeeper/server/NettyServerCnxn.java ---
@@ -267,10 +267,17 @@ private boolean checkFourLetterWord(final Channel
channel,
{
// We take advantage of the limited size of the length to look
// for cmds. They are all 4-bytes which fits inside of an int
- String cmd = FourLetterCommands.getCmdMapView().get(len);
- if (cmd == null) {
+ if (!FourLetterCommands.isKnown(len)) {
return false;
}
+
+ // ZOOKEEPER-2693: don't execute 4lw if it's not enabled.
+ String cmd = FourLetterCommands.getCommandString(len);
+ if (!FourLetterCommands.isEnabled(cmd)) {
+ LOG.debug("Command {} is not executed because it is not white
listed.", cmd);
+ return true;
--- End diff --
@rakeshadr hmmmm I think we did not even close server sockets today for
four letter words in general, see
https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/NIOServerCnxn.java#L343
and
https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/NettyServerCnxn.java#L388
This is not a problem in general for the command line interface because in
that case client socket will close first and then server socket will close as a
result of client socket close... however if someone writes a client that opens
and holds a socket then server will not close the socket even after 4lw finish
execution. This probably is a by design as it allows clients to pipe 4lw
commands w/o re-opening sockets but I see this is another potential point of
vulnerability where a server could run out of sockets..
I think we should probably close the sockets in the two links I posted in
the beginning. Let me know what you think @rakeshadr.
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
> Attachments: ZOOKEEPER-2693-01.patch
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
