Perfect, thanks Andor. We will patch it ourselves.
Best, Li On Thu, Mar 14, 2024 at 1:11 PM Andor Molnar <an...@apache.org> wrote: > Hi Li, > > That's the right ticket. > > I've just updated the Jira ticket with the links to the commits. > There's no PR since it was a security fix, but looks like we forgot to > add it to the master branch. > > Damien, would you please take care of that? > > Btw, we don't plan to fix it in the 3.7 release line, but the patch is > already on the branch for your convenience: > 29c7b9462681f47c2ac12e609341cf9f52abac5c > > Regards, > Andor > > > > On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote: > > Thanks, Andor. > > > > Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a > > JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status > > is > > still OPEN and there is no PR link there. > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-4799 > > > > We are in 3.7.2 and may need to patch it ourselves. > > > > Best, > > > > Li > > > > > > > > On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org> > > wrote: > > > > > Severity: critical > > > > > > Affected versions: > > > > > > - Apache ZooKeeper 3.9.0 through 3.9.1 > > > - Apache ZooKeeper 3.8.0 through 3.8.3 > > > - Apache ZooKeeper 3.6.0 through 3.7.2 > > > > > > Description: > > > > > > Information disclosure in persistent watchers handling in Apache > > > ZooKeeper > > > due to missing ACL check. It allows an attacker to monitor child > > > znodes by > > > attaching a persistent watcher (addWatch command) to a parent which > > > the > > > attacker has already access to. ZooKeeper server doesn't do ACL > > > check when > > > the persistent watcher is triggered and as a consequence, the full > > > path of > > > znodes that a watch event gets triggered upon is exposed to the > > > owner of > > > the watcher. It's important to note that only the path is exposed > > > by this > > > vulnerability, not the data of znode, but since znode path can > > > contain > > > sensitive information like user name or login ID, this issue is > > > potentially > > > critical. > > > > > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which > > > fixes the > > > issue. > > > > > > Credit: > > > > > > 周吉安(寒泉) <zhoujian....@alibaba-inc.com> (reporter) > > > > > > References: > > > > > > https://zookeeper.apache.org/ > > > https://www.cve.org/CVERecord?id=CVE-2024-23944 > > > > > > > >
