[
https://issues.apache.org/jira/browse/NIFI-14721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18003486#comment-18003486
]
WojciechWitos commented on NIFI-14721:
--------------------------------------
[~pvillard] I understand that it should not be applied in 3.9.3 but in NiFi
package downloaded from official website this issue still persists in the 2.4
NiFi embeded zookeeper. Tested it itself in this case
> Zookeeper for cluster mode exploit still available
> --------------------------------------------------
>
> Key: NIFI-14721
> URL: https://issues.apache.org/jira/browse/NIFI-14721
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.28.1, 2.4.0
> Reporter: WojciechWitos
> Priority: Major
>
> Exploit of:
> [Zookeeper 3.5.2 Client - Denial of Service - Multiple dos
> Exploit|https://www.exploit-db.com/exploits/42294]
> is still applicable even tho the zookeeper is in the newest version.
> Specification of the cluster:
> * 4 CPU
> * 20 GB Ram
> After running the code specified on the website with the specific number of
> threads: 10000 CPU usage from 10% goes to 35% or even more. When the cluster
> would have some load, it would cause application to crash (tested).
> Tried to disable those methods via zookeeper.properties but didn't work out.
> Issue still persist.
> Behavior of the application is the same in the NiFi 1.28.1 and the 2.4
> Unsafe options should've been disabled by default, but in the NiFi itself
> they are enabled somehow and allow this exploit.
> [ZooKeeper: Because Coordinating Distributed Systems is a
> Zoo|https://zookeeper.apache.org/doc/r3.9.3/zookeeperAdmin.html#Unsafe+Options]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
