Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Perfect, thanks Andor. We will patch it ourselves. Best, Li On Thu, Mar 14, 2024 at 1:11 PM Andor Molnar wrote: > Hi Li, > > That's the right ticket. > > I've just updated the Jira ticket with the links to the commits. > There's no PR since it was a security fix, but looks like we forgot to > add it to the master branch. > > Damien, would you please take care of that? > > Btw, we don't plan to fix it in the 3.7 release line, but the patch is > already on the branch for your convenience: > 29c7b9462681f47c2ac12e609341cf9f52abac5c > > Regards, > Andor > > > > On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote: > > Thanks, Andor. > > > > Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a > > JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status > > is > > still OPEN and there is no PR link there. > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-4799 > > > > We are in 3.7.2 and may need to patch it ourselves. > > > > Best, > > > > Li > > > > > > > > On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar > > wrote: > > > > > Severity: critical > > > > > > Affected versions: > > > > > > - Apache ZooKeeper 3.9.0 through 3.9.1 > > > - Apache ZooKeeper 3.8.0 through 3.8.3 > > > - Apache ZooKeeper 3.6.0 through 3.7.2 > > > > > > Description: > > > > > > Information disclosure in persistent watchers handling in Apache > > > ZooKeeper > > > due to missing ACL check. It allows an attacker to monitor child > > > znodes by > > > attaching a persistent watcher (addWatch command) to a parent which > > > the > > > attacker has already access to. ZooKeeper server doesn't do ACL > > > check when > > > the persistent watcher is triggered and as a consequence, the full > > > path of > > > znodes that a watch event gets triggered upon is exposed to the > > > owner of > > > the watcher. It's important to note that only the path is exposed > > > by this > > > vulnerability, not the data of znode, but since znode path can > > > contain > > > sensitive information like user name or login ID, this issue is > > > potentially > > > critical. > > > > > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which > > > fixes the > > > issue. > > > > > > Credit: > > > > > > 周吉安(寒泉) (reporter) > > > > > > References: > > > > > > https://zookeeper.apache.org/ > > > https://www.cve.org/CVERecord?id=CVE-2024-23944 > > > > > > > >
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Hi Li, That's the right ticket. I've just updated the Jira ticket with the links to the commits. There's no PR since it was a security fix, but looks like we forgot to add it to the master branch. Damien, would you please take care of that? Btw, we don't plan to fix it in the 3.7 release line, but the patch is already on the branch for your convenience: 29c7b9462681f47c2ac12e609341cf9f52abac5c Regards, Andor On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote: > Thanks, Andor. > > Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a > JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status > is > still OPEN and there is no PR link there. > > https://issues.apache.org/jira/browse/ZOOKEEPER-4799 > > We are in 3.7.2 and may need to patch it ourselves. > > Best, > > Li > > > > On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar > wrote: > > > Severity: critical > > > > Affected versions: > > > > - Apache ZooKeeper 3.9.0 through 3.9.1 > > - Apache ZooKeeper 3.8.0 through 3.8.3 > > - Apache ZooKeeper 3.6.0 through 3.7.2 > > > > Description: > > > > Information disclosure in persistent watchers handling in Apache > > ZooKeeper > > due to missing ACL check. It allows an attacker to monitor child > > znodes by > > attaching a persistent watcher (addWatch command) to a parent which > > the > > attacker has already access to. ZooKeeper server doesn't do ACL > > check when > > the persistent watcher is triggered and as a consequence, the full > > path of > > znodes that a watch event gets triggered upon is exposed to the > > owner of > > the watcher. It's important to note that only the path is exposed > > by this > > vulnerability, not the data of znode, but since znode path can > > contain > > sensitive information like user name or login ID, this issue is > > potentially > > critical. > > > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which > > fixes the > > issue. > > > > Credit: > > > > 周吉安(寒泉) (reporter) > > > > References: > > > > https://zookeeper.apache.org/ > > https://www.cve.org/CVERecord?id=CVE-2024-23944 > > > >
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Thanks, Andor. Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status is still OPEN and there is no PR link there. https://issues.apache.org/jira/browse/ZOOKEEPER-4799 We are in 3.7.2 and may need to patch it ourselves. Best, Li On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar wrote: > Severity: critical > > Affected versions: > > - Apache ZooKeeper 3.9.0 through 3.9.1 > - Apache ZooKeeper 3.8.0 through 3.8.3 > - Apache ZooKeeper 3.6.0 through 3.7.2 > > Description: > > Information disclosure in persistent watchers handling in Apache ZooKeeper > due to missing ACL check. It allows an attacker to monitor child znodes by > attaching a persistent watcher (addWatch command) to a parent which the > attacker has already access to. ZooKeeper server doesn't do ACL check when > the persistent watcher is triggered and as a consequence, the full path of > znodes that a watch event gets triggered upon is exposed to the owner of > the watcher. It's important to note that only the path is exposed by this > vulnerability, not the data of znode, but since znode path can contain > sensitive information like user name or login ID, this issue is potentially > critical. > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the > issue. > > Credit: > > 周吉安(寒泉) (reporter) > > References: > > https://zookeeper.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2024-23944 > >
CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Severity: critical Affected versions: - Apache ZooKeeper 3.9.0 through 3.9.1 - Apache ZooKeeper 3.8.0 through 3.8.3 - Apache ZooKeeper 3.6.0 through 3.7.2 Description: Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue. Credit: 周吉安(寒泉) (reporter) References: https://zookeeper.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-23944
[jira] [Created] (ZOOKEEPER-4816) A follower can not join the cluster for 20s seconds
gendong1 created ZOOKEEPER-4816: --- Summary: A follower can not join the cluster for 20s seconds Key: ZOOKEEPER-4816 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4816 Project: ZooKeeper Issue Type: Bug Affects Versions: 3.10.0 Reporter: gendong1 Attachments: node1.log, node2.log, node3.log We encounter a strange scenario. When we set up the cluster of zookeeper(3 nodes totally), the third node is stuck in serializing the snapshot to the local disk. However, the leader election is executed normally. After the election, the third node is elected as the leader. The other two nodes fail to connect with the leader. Hence, the first and second nodes restart the leader election, finally the second node is elected as the leader. At this time, the third node still act as the leader. There are two leaders in the cluster. The first node can not join the cluster for 20s. During this procedure, the client can not connect with any nodes of the cluster. Runtime logs are attached. -- This message was sent by Atlassian Jira (v8.20.10#820010)