[
https://issues.apache.org/jira/browse/OAK-11947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Reschke updated OAK-11947:
---------------------------------
Summary: oak-solr-osgi embeds vulnerable Zookeeper 3.9.2 (branch 1.22)
(was: oak-solr-osgi embeds vulnerable Zookeeper 3.9.2(branch 1.22))
> oak-solr-osgi embeds vulnerable Zookeeper 3.9.2 (branch 1.22)
> -------------------------------------------------------------
>
> Key: OAK-11947
> URL: https://issues.apache.org/jira/browse/OAK-11947
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: indexing
> Affects Versions: 1.22.22
> Reporter: Julian Reschke
> Priority: Major
>
> This artifact embeds +zookeeper:3.9.2+ which contain the following
> vulnerabilities:
> * *CVE-2024-51504* - When using IPAuthenticationProvider in ZooKeeper Admin
> Server there is a possibility of Authentication Bypass by Spoofing - this
> only impacts IP based authentication implemented in ZooKeeper Admin Server.
> Default configuration of client's IP address detection in
> IPAuthenticationProvider, which uses HTTP request headers, is weak and allows
> an attacker to bypass authentication via spoofing client's IP address in
> request headers. Default configuration honors X-Forwarded-For HTTP header to
> read client's IP address. X-Forwarded-For request header is mainly used by
> proxy servers to identify the client and can be easily spoofed by an attacker
> pretending that the request comes from a different IP address. Admin Server
> commands, such as snapshot and restore arbitrarily can be executed on
> successful exploitation which could potentially lead to information leakage
> or service availability issues. Users are recommended to upgrade to version
> 3.9.3, which fixes this issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
