On Fri, May 25, 2018 at 8:38 AM Philip Lowman <plow...@workforcesoftware.com> wrote:
> Hello, > > In regards to the CVE-2018-8012 > <https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E> > advisory > posted on Monday, it contains the following statement “Alternatively ensure > the ensemble election/quorum communication is protected by a firewall as > this will mitigate the issue”. > > I just wanted to ask (or hopefully just confirm), does this communication > *exclusively* travel over the “leader election port”? > > In example configuration files the leader election port (see server.x in > the docs > <http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_configuration>) > is > typically defined to be port 3888. > > server.1=zoo1:2888:3888 > server.2=zoo2:2888:3888 > server.3=zoo3:2888:3888 > > Hi Philip, The firewall would need to protect both the election and quorum ports - those are the two numbers at the end of the server.# configuration parameters. See http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_clusterOptions for more details on that config option. Patrick > Thanks > > > > > > > * Philip Lowman Sr. Software Security Engineer WorkForce Software | > 38705 Seven Mile Road, Livonia, MI 48152 T: +1 734-742-3610 | > E: plow...@workforcesoftware.com <plow...@workforcesoftware.com> * > > > > > This message is intended exclusively for the individual or entity to which > it is addressed. This communication may contain information that is > proprietary, privileged, confidential or otherwise legally exempt from > disclosure. If you are not the named addressee, or have been inadvertently > and erroneously referenced in the address line, you are not authorized to > read, print, retain, copy or disseminate this message or any part of it. If > you have received this message in error, please notify the sender > immediately by e-mail and delete all copies of the message. (ID m031214) >
