[
https://issues.apache.org/jira/browse/NIFI-14721?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pierre Villard updated NIFI-14721:
----------------------------------
Priority: Major (was: Critical)
> Zookeeper for cluster mode exploit still available
> --------------------------------------------------
>
> Key: NIFI-14721
> URL: https://issues.apache.org/jira/browse/NIFI-14721
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.28.1, 2.4.0
> Reporter: WojciechWitos
> Priority: Major
>
> Exploit of:
> [Zookeeper 3.5.2 Client - Denial of Service - Multiple dos
> Exploit|https://www.exploit-db.com/exploits/42294]
> is still applicable even tho the zookeeper is in the newest version.
> Specification of the cluster:
> * 4 CPU
> * 20 GB Ram
> After running the code specified on the website with the specific number of
> threads: 10000 CPU usage from 10% goes to 35% or even more. When the cluster
> would have some load, it would cause application to crash (tested).
> Tried to disable those methods via zookeeper.properties but didn't work out.
> Issue still persist.
> Behavior of the application is the same in the NiFi 1.28.1 and the 2.4
> Unsafe options should've been disabled by default, but in the NiFi itself
> they are enabled somehow and allow this exploit.
> [ZooKeeper: Because Coordinating Distributed Systems is a
> Zoo|https://zookeeper.apache.org/doc/r3.9.3/zookeeperAdmin.html#Unsafe+Options]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
