[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876870#comment-15876870
]
Michael Han commented on ZOOKEEPER-2693:
----------------------------------------
bq. IIUC, these are two problems -> case-1) restrict 4lw cmd execution as few
cmds taking too much time for execution. case-2) protection against overuse
because it creates many connections.
Yes, this is a good summary. Two problems - one is to fix the obvious exploits
related to watcher 4lw and the other is to prevent abuse of 4lw in general.
This JIRA's scope is targeting the first one, which fixes immediate issue and
unblocks two important ongoing releases. We can easily get out of scope if we
want to completely fix the security of the 4lw which was not designed with
security in mind while balancing compatibility and minimize disrupt to existing
users, so I'd recommend we stick to the current scope (unless as I mentioned
earlier folks feel strongly against the white list approach.).
bq. could you create a PR for branch-3.4
I will once I get this landed in 3.5. PR to 3.4 will not be much different, but
I'd like to finalize this PR first to avoid potential duplicated efforts.
Meanwhile, I'll create a set of follow JIRAs to address concerns of abusing 4lw
in general:
* A new config option to turn on / off 4lw w/o a middle ground (sure we can use
empty white list for this purpose but a separate option is better IMO from the
point of view of deprecating a feature.).
* 4lw rate limiting including concurrent command runs configuration.
* Fix client / script to avoid using 4lw - it is unfortunate ZK itself depends
on 4lw.
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
> Attachments: ZOOKEEPER-2693-01.patch
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
