[
https://issues.apache.org/jira/browse/ZOOKEEPER-4977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020397#comment-18020397
]
Christopher Tubbs commented on ZOOKEEPER-4977:
----------------------------------------------
How exactly is this a problem? The embedded pom.xml file is just a copy of the
pom.xml file that maven used to build the jar. It is for reference only. It's
not a runtime configuration file in any way and does not represent any runtime
security configuration. That value is a test value used only during the maven
build for testing using ZooKeeper's unit and integration tests. It should have
no impact on any user deployments.
This does not appear to be a problem to fix.
> superDigest configuration found in embedded pom.xml within zookeeper-3.9.3.jar
> ------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4977
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4977
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.9.3
> Reporter: zhangpeng
> Priority: Critical
> Labels: security
> Attachments: 5F7DE753-B347-43A9-9B84-401BA743C4C1.png
>
>
> {{superDigest}} configuration found in embedded {{pom.xml}} within
> zookeeper-3.9.3.jar
>
> <zookeeper.DigestAuthenticationProvider.superDigest>super:D/InIHSb7yEEbrWz8b9l71RjZJU=</zookeeper.DigestAuthenticationProvider.superDigest>
>
> *Environment:*
> * ZooKeeper Version: 3.9.3 (the official binary distribution from Maven
> Central)
> * JDK Version: N/A (discovered during static analysis of the JAR file)
> * OS: N/A
> *Problem Description:*
> During a routine security audit of our application dependencies, we
> discovered that the {{zookeeper-3.9.3.jar}} file contains its own {{pom.xml}}
> file at the path
> {{{}META-INF/maven/org.apache.zookeeper/zookeeper/pom.xml{}}}. This embedded
> {{pom.xml}} file includes a property configuration for
> {{zookeeper.DigestAuthenticationProvider.superDigest}} with a pre-defined
> hash value.
> *Steps to Reproduce:*
> # Download the official {{org.apache.zookeeper:zookeeper:3.9.3}} JAR from
> Maven Central.
> # Extract the JAR file or use a tool ({{{}jar -tf{}}}, {{{}unzip -l{}}},
> IDE) to list its contents.
> # Locate the file {{META-INF/maven/org.apache.zookeeper/zookeeper/pom.xml}}
> inside the JAR.
> # Inspect the content of this {{pom.xml}} file. On line 283 (or nearby), you
> will find:
> {{<zookeeper.DigestAuthenticationProvider.superDigest>super:D/InIHSb7yEEbrWz8b9l71RjZJU=</zookeeper.DigestAuthenticationProvider.superDigest>}}
> *Expected Behavior:*
> The published binary JAR artifacts should not contain any residual or testing
> configuration files that include sensitive properties, especially those
> related to security authentication like the superuser digest. The
> build/packaging process should strip such elements from the final release
> artifact.
> *Actual Behavior:*
> The released {{zookeeper-3.9.3.jar}} contains an embedded {{pom.xml}} which
> includes a configured {{superDigest}} property. While this is a hash and not
> a plaintext password, its presence in a widely distributed binary is a
> potential security risk.
> *Potential Risk:*
> # *Information Disclosure:* This exposes a known credential hash, which
> violates the principle of least surprise and could be used in conjunction
> with other vulnerabilities (e.g., CVE-2014-085 - information disclosure in
> logs).
> # *Increased Attack Surface:* If an attacker gains access to the JAR file
> (e.g., through a deployment leak), they extract this hash. Although SHA-1
> hashing is used, it could potentially be targeted for brute-force attacks if
> the original password was weak, potentially granting superuser access to a
> ZooKeeper ensemble.
> # *Bad Practice:* The presence of this configuration, even if not activated
> by default, sets a poor security precedent for users who might find it and
> mistakenly use it without generating a new secure digest.
>
> !image-2025-09-15-16-00-33-152.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
