Dear developers:
I am a Ph.D. student at Washington State University. I applied dynamic
taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). And then I
find a security vulnerability, that exists from 3.4.11-3.4.14 and 3.5.5, from
tainted paths.
Possible information leakage from FileTxnSnapLog to log without LOG control
LOG.isDebugEnabled():
In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
LOG.debug don't have LOG controls:
public void processTransaction(TxnHeader hdr,DataTree dt,
Map<Long, Integer> sessions, Record txn)
throws KeeperException.NoNodeException {
......
if (rc.err != Code.OK.intValue()) {
LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
+ ", error: " + rc.err + ", path: " + rc.path);
}
......
}
Sensitive information about hdr type or rc path may be leaked. The conditional
statement LOG.isDebugEnabled() should be added:
public void processTransaction(TxnHeader hdr,DataTree dt,
Map<Long, Integer> sessions, Record txn)
throws KeeperException.NoNodeException {
......
if (rc.err != Code.OK.intValue()) {
if (LOG.isDebugEnabled())
LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
+ ", error: " + rc.err + ", path: " + rc.path);
}
......
}
Please help me confirm it and give it a CVE ID.
Thank you very much!
Yours sincerely
Xiaoqin Fu
