WojciechWitos created NIFI-14721:
------------------------------------
Summary: Zookeeper for cluster mode exploit still available
Key: NIFI-14721
URL: https://issues.apache.org/jira/browse/NIFI-14721
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 2.4.0, 1.28.1
Reporter: WojciechWitos
Exploit of:
[Zookeeper 3.5.2 Client - Denial of Service - Multiple dos
Exploit|https://www.exploit-db.com/exploits/42294]
is still applicable even tho the zookeeper is in the newest version.
Specification of the cluster:
* 4 CPU
* 20 GB Ram
After running the code specified on the website with the specific number of
threads: 10000 CPU usage from 10% goes to 35% or even more. When the cluster
would have some load, it would cause application to crash (tested).
Tried to disable those methods via zookeeper.properties but didn't work out.
Issue still persist.
Behavior of the application is the same in the NiFi 1.28.1 and the 2.4
Unsafe options should've been disabled by default, but in the NiFi itself they
are enabled somehow and allow this exploit.
[ZooKeeper: Because Coordinating Distributed Systems is a
Zoo|https://zookeeper.apache.org/doc/r3.9.3/zookeeperAdmin.html#Unsafe+Options]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
