[ https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876406#comment-15876406 ]
ASF GitHub Bot commented on ZOOKEEPER-2693: ------------------------------------------- Github user hanm commented on a diff in the pull request: https://github.com/apache/zookeeper/pull/179#discussion_r102275734 --- Diff: src/java/main/org/apache/zookeeper/server/NettyServerCnxn.java --- @@ -267,10 +267,17 @@ private boolean checkFourLetterWord(final Channel channel, { // We take advantage of the limited size of the length to look // for cmds. They are all 4-bytes which fits inside of an int - String cmd = FourLetterCommands.getCmdMapView().get(len); - if (cmd == null) { + if (!FourLetterCommands.isKnown(len)) { return false; } + + // ZOOKEEPER-2693: don't execute 4lw if it's not enabled. + String cmd = FourLetterCommands.getCommandString(len); + if (!FourLetterCommands.isEnabled(cmd)) { + LOG.debug("Command {} is not executed because it is not white listed.", cmd); + return true; --- End diff -- @rakeshadr hmmmm I think we did not even close server sockets today for four letter words in general, see https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/NIOServerCnxn.java#L343 and https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/NettyServerCnxn.java#L388 This is not a problem in general for the command line interface because in that case client socket will close first and then server socket will close as a result of client socket close... however if someone writes a client that opens and holds a socket then server will not close the socket even after 4lw finish execution. This probably is a by design as it allows clients to pipe 4lw commands w/o re-opening sockets but I see this is another potential point of vulnerability where a server could run out of sockets.. I think we should probably close the sockets in the two links I posted in the beginning. Let me know what you think @rakeshadr. > DOS attack on wchp/wchc four letter words (4lw) > ----------------------------------------------- > > Key: ZOOKEEPER-2693 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693 > Project: ZooKeeper > Issue Type: Bug > Components: security, server > Affects Versions: 3.4.0, 3.5.1, 3.5.2 > Reporter: Patrick Hunt > Assignee: Michael Han > Priority: Blocker > Fix For: 3.4.10, 3.5.3 > > Attachments: ZOOKEEPER-2693-01.patch > > > The wchp/wchc four letter words can be exploited in a DOS attack on the ZK > client port - typically 2181. The following POC attack was recently published > on the web: > https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us > The most straightforward way to block this attack is to not allow access to > the client port to non-trusted clients - i.e. firewall the ZooKeeper service > and only allow access to trusted applications using it for coordination. -- This message was sent by Atlassian JIRA (v6.3.15#6346)