[
https://issues.apache.org/jira/browse/OAK-11456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Reschke updated OAK-11456:
---------------------------------
Fix Version/s: 1.22.23
> oak-solr-osgi embeds vulnerable Zookeeper 3.9.2
> -----------------------------------------------
>
> Key: OAK-11456
> URL: https://issues.apache.org/jira/browse/OAK-11456
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: indexing
> Affects Versions: 1.76.0
> Reporter: Paul Chibulcuteanu
> Assignee: Manfred Baedke
> Priority: Major
> Labels: candidate_oak_1_22
> Fix For: 1.78.0, 1.22.23
>
>
> h3. Vulnerabilities
> This artifact embeds +zookeeper:3.9.2+ which contain the following
> vulnerabilities:
> * *CVE-2024-51504* - When using IPAuthenticationProvider in ZooKeeper Admin
> Server there is a possibility of Authentication Bypass by Spoofing – this
> only impacts IP based authentication implemented in ZooKeeper Admin Server.
> Default configuration of client's IP address detection in
> IPAuthenticationProvider, which uses HTTP request headers, is weak and allows
> an attacker to bypass authentication via spoofing client's IP address in
> request headers. Default configuration honors X-Forwarded-For HTTP header to
> read client's IP address. X-Forwarded-For request header is mainly used by
> proxy servers to identify the client and can be easily spoofed by an attacker
> pretending that the request comes from a different IP address. Admin Server
> commands, such as snapshot and restore arbitrarily can be executed on
> successful exploitation which could potentially lead to information leakage
> or service availability issues. Users are recommended to upgrade to version
> 3.9.3, which fixes this issue.
> h3. Recommendation
> Apply one of the following suggestions:
> * Remove usage and dependency
> * Upgrade to a vulnerability free version of the embedded library. If none
> is available, upgrade to a less vulnerable version (lower CVSS Score)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
