Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Hi Andor, Li, > […] add it to the master branch. > > Damien, would you please take care of that? Yes, I will do so. >> We are in 3.7.2 and may need to patch it ourselves. >> > Btw, we don't plan to fix it in the 3.7 release line, but the patch is > already on the branch for your convenience: > 29c7b9462681f47c2ac12e609341cf9f52abac5c Indeed. There was even a release candidate for 3.7.3, which is to be abandoned. (But see attached email in case it helps.) Cheers, -D Andor Molnar writes: > Hi Li, > > That's the right ticket. > > I've just updated the Jira ticket with the links to the commits. > There's no PR since it was a security fix, but looks like we forgot to > add it to the master branch. > > Damien, would you please take care of that? > > Btw, we don't plan to fix it in the 3.7 release line, but the patch is > already on the branch for your convenience: > 29c7b9462681f47c2ac12e609341cf9f52abac5c > > Regards, > Andor > > > > On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote: >> Thanks, Andor. >> >> Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a >> JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status >> is >> still OPEN and there is no PR link there. >> >> https://issues.apache.org/jira/browse/ZOOKEEPER-4799 >> >> We are in 3.7.2 and may need to patch it ourselves. >> >> Best, >> >> Li >> >> >> >> On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar >> wrote: >> >> > Severity: critical >> > >> > Affected versions: >> > >> > - Apache ZooKeeper 3.9.0 through 3.9.1 >> > - Apache ZooKeeper 3.8.0 through 3.8.3 >> > - Apache ZooKeeper 3.6.0 through 3.7.2 >> > >> > Description: >> > >> > Information disclosure in persistent watchers handling in Apache >> > ZooKeeper >> > due to missing ACL check. It allows an attacker to monitor child >> > znodes by >> > attaching a persistent watcher (addWatch command) to a parent which >> > the >> > attacker has already access to. ZooKeeper server doesn't do ACL >> > check when >> > the persistent watcher is triggered and as a consequence, the full >> > path of >> > znodes that a watch event gets triggered upon is exposed to the >> > owner of >> > the watcher. It's important to note that only the path is exposed >> > by this >> > vulnerability, not the data of znode, but since znode path can >> > contain >> > sensitive information like user name or login ID, this issue is >> > potentially >> > critical. >> > >> > Users are recommended to upgrade to version 3.9.2, 3.8.4 which >> > fixes the >> > issue. >> > >> > Credit: >> > >> > 周吉安(寒泉) (reporter) >> > >> > References: >> > >> > https://zookeeper.apache.org/ >> > https://www.cve.org/CVERecord?id=CVE-2024-23944 >> > >> > --- Begin Message --- Greetings, all! This is a release candidate for 3.7.3. This is a bugfix release for the (EOL) 3.7 release line. It includes a last batch of important dependency upgrades to address CVEs. Note that we don't expect to provide further updates: users should upgrade to 3.8. The full release notes is available at: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12353692 *** Please download, test and vote by February 16th 2024, 23:59 UTC+0. *** Source files: https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.3-candidate-0/ Maven staging repo: https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.7.3/ The release candidate tag in git to be voted upon: release-3.7.3-0 https://github.com/apache/zookeeper/releases/tag/release-3.7.3-0 ZooKeeper's KEYS file containing PGP keys we use to sign the release: https://www.apache.org/dist/zookeeper/KEYS The staging version of the website is: https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.3-candidate-0/website/index.html Should we release this candidate? Regards, Damien Diederen --- End Message ---
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Perfect, thanks Andor. We will patch it ourselves. Best, Li On Thu, Mar 14, 2024 at 1:11 PM Andor Molnar wrote: > Hi Li, > > That's the right ticket. > > I've just updated the Jira ticket with the links to the commits. > There's no PR since it was a security fix, but looks like we forgot to > add it to the master branch. > > Damien, would you please take care of that? > > Btw, we don't plan to fix it in the 3.7 release line, but the patch is > already on the branch for your convenience: > 29c7b9462681f47c2ac12e609341cf9f52abac5c > > Regards, > Andor > > > > On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote: > > Thanks, Andor. > > > > Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a > > JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status > > is > > still OPEN and there is no PR link there. > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-4799 > > > > We are in 3.7.2 and may need to patch it ourselves. > > > > Best, > > > > Li > > > > > > > > On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar > > wrote: > > > > > Severity: critical > > > > > > Affected versions: > > > > > > - Apache ZooKeeper 3.9.0 through 3.9.1 > > > - Apache ZooKeeper 3.8.0 through 3.8.3 > > > - Apache ZooKeeper 3.6.0 through 3.7.2 > > > > > > Description: > > > > > > Information disclosure in persistent watchers handling in Apache > > > ZooKeeper > > > due to missing ACL check. It allows an attacker to monitor child > > > znodes by > > > attaching a persistent watcher (addWatch command) to a parent which > > > the > > > attacker has already access to. ZooKeeper server doesn't do ACL > > > check when > > > the persistent watcher is triggered and as a consequence, the full > > > path of > > > znodes that a watch event gets triggered upon is exposed to the > > > owner of > > > the watcher. It's important to note that only the path is exposed > > > by this > > > vulnerability, not the data of znode, but since znode path can > > > contain > > > sensitive information like user name or login ID, this issue is > > > potentially > > > critical. > > > > > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which > > > fixes the > > > issue. > > > > > > Credit: > > > > > > 周吉安(寒泉) (reporter) > > > > > > References: > > > > > > https://zookeeper.apache.org/ > > > https://www.cve.org/CVERecord?id=CVE-2024-23944 > > > > > > > >
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Hi Li, That's the right ticket. I've just updated the Jira ticket with the links to the commits. There's no PR since it was a security fix, but looks like we forgot to add it to the master branch. Damien, would you please take care of that? Btw, we don't plan to fix it in the 3.7 release line, but the patch is already on the branch for your convenience: 29c7b9462681f47c2ac12e609341cf9f52abac5c Regards, Andor On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote: > Thanks, Andor. > > Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a > JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status > is > still OPEN and there is no PR link there. > > https://issues.apache.org/jira/browse/ZOOKEEPER-4799 > > We are in 3.7.2 and may need to patch it ourselves. > > Best, > > Li > > > > On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar > wrote: > > > Severity: critical > > > > Affected versions: > > > > - Apache ZooKeeper 3.9.0 through 3.9.1 > > - Apache ZooKeeper 3.8.0 through 3.8.3 > > - Apache ZooKeeper 3.6.0 through 3.7.2 > > > > Description: > > > > Information disclosure in persistent watchers handling in Apache > > ZooKeeper > > due to missing ACL check. It allows an attacker to monitor child > > znodes by > > attaching a persistent watcher (addWatch command) to a parent which > > the > > attacker has already access to. ZooKeeper server doesn't do ACL > > check when > > the persistent watcher is triggered and as a consequence, the full > > path of > > znodes that a watch event gets triggered upon is exposed to the > > owner of > > the watcher. It's important to note that only the path is exposed > > by this > > vulnerability, not the data of znode, but since znode path can > > contain > > sensitive information like user name or login ID, this issue is > > potentially > > critical. > > > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which > > fixes the > > issue. > > > > Credit: > > > > 周吉安(寒泉) (reporter) > > > > References: > > > > https://zookeeper.apache.org/ > > https://www.cve.org/CVERecord?id=CVE-2024-23944 > > > >
Re: CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Thanks, Andor. Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status is still OPEN and there is no PR link there. https://issues.apache.org/jira/browse/ZOOKEEPER-4799 We are in 3.7.2 and may need to patch it ourselves. Best, Li On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar wrote: > Severity: critical > > Affected versions: > > - Apache ZooKeeper 3.9.0 through 3.9.1 > - Apache ZooKeeper 3.8.0 through 3.8.3 > - Apache ZooKeeper 3.6.0 through 3.7.2 > > Description: > > Information disclosure in persistent watchers handling in Apache ZooKeeper > due to missing ACL check. It allows an attacker to monitor child znodes by > attaching a persistent watcher (addWatch command) to a parent which the > attacker has already access to. ZooKeeper server doesn't do ACL check when > the persistent watcher is triggered and as a consequence, the full path of > znodes that a watch event gets triggered upon is exposed to the owner of > the watcher. It's important to note that only the path is exposed by this > vulnerability, not the data of znode, but since znode path can contain > sensitive information like user name or login ID, this issue is potentially > critical. > > Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the > issue. > > Credit: > > 周吉安(寒泉) (reporter) > > References: > > https://zookeeper.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2024-23944 > >
CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling
Severity: critical Affected versions: - Apache ZooKeeper 3.9.0 through 3.9.1 - Apache ZooKeeper 3.8.0 through 3.8.3 - Apache ZooKeeper 3.6.0 through 3.7.2 Description: Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue. Credit: 周吉安(寒泉) (reporter) References: https://zookeeper.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-23944
