[jira] [Comment Edited] (OAK-11456) oak-solr-osgi embeds vulnerable Zookeeper 3.9.2

Sat, 18 Oct 2025 10:17:58 -0700 


    [ 
https://issues.apache.org/jira/browse/OAK-11456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925151#comment-17925151
 ] 

Julian Reschke edited comment on OAK-11456 at 9/24/25 1:38 PM:
---------------------------------------------------------------

trunk: (1.78.0) 
[4ce8c32151|https://github.com/apache/jackrabbit-oak/commit/4ce8c32151b773b79ee5adceb81a9306bcd59bd1]
 (1.76.0) 
[67a5f78c88|https://github.com/apache/jackrabbit-oak/commit/67a5f78c886fe2ecff3c78ae6bf7657c743ad4fe]
 
[1d9507d4aa|https://github.com/apache/jackrabbit-oak/commit/1d9507d4aa10c9a5f21bea8997ca87055a352ac9]
1.22: 
[fba3ce1c6b|https://github.com/apache/jackrabbit-oak/commit/fba3ce1c6bf03745ec2bdbfd7abfbd7e0441f1f6]



was (Author: reschke):
trunk: (1.78.0) 
[4ce8c32151|https://github.com/apache/jackrabbit-oak/commit/4ce8c32151b773b79ee5adceb81a9306bcd59bd1]
 (1.76.0) 
[67a5f78c88|https://github.com/apache/jackrabbit-oak/commit/67a5f78c886fe2ecff3c78ae6bf7657c743ad4fe]
 
[1d9507d4aa|https://github.com/apache/jackrabbit-oak/commit/1d9507d4aa10c9a5f21bea8997ca87055a352ac9]

> oak-solr-osgi embeds vulnerable Zookeeper 3.9.2
> -----------------------------------------------
>
>                 Key: OAK-11456
>                 URL: https://issues.apache.org/jira/browse/OAK-11456
>             Project: Jackrabbit Oak
>          Issue Type: Task
>          Components: indexing
>    Affects Versions: 1.76.0
>            Reporter: Paul Chibulcuteanu
>            Assignee: Manfred Baedke
>            Priority: Major
>             Fix For: 1.78.0, 1.22.23
>
>
> h3. Vulnerabilities
> This artifact embeds +zookeeper:3.9.2+ which contain the following 
> vulnerabilities:
>  * *CVE-2024-51504* - When using IPAuthenticationProvider in ZooKeeper Admin 
> Server there is a possibility of Authentication Bypass by Spoofing – this 
> only impacts IP based authentication implemented in ZooKeeper Admin Server. 
> Default configuration of client's IP address detection in 
> IPAuthenticationProvider, which uses HTTP request headers, is weak and allows 
> an attacker to bypass authentication via spoofing client's IP address in 
> request headers. Default configuration honors X-Forwarded-For HTTP header to 
> read client's IP address. X-Forwarded-For request header is mainly used by 
> proxy servers to identify the client and can be easily spoofed by an attacker 
> pretending that the request comes from a different IP address. Admin Server 
> commands, such as snapshot and restore arbitrarily can be executed on 
> successful exploitation which could potentially lead to information leakage 
> or service availability issues. Users are recommended to upgrade to version 
> 3.9.3, which fixes this issue.
> h3. Recommendation
> Apply one of the following suggestions:
>  * Remove usage and dependency
>  * Upgrade to a vulnerability free version of the embedded library. If none 
> is available, upgrade to a less vulnerable version (lower CVSS Score)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to