This is an automated email from the ASF dual-hosted git repository. andor pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/asf-site by this push: new c07c00495 CVE-2024-23944 c07c00495 is described below commit c07c004955cd680ae4e0c57b2857c2fe0fe5f128 Author: Andor Molnar <an...@cloudera.com> AuthorDate: Thu Mar 14 11:07:26 2024 -0500 CVE-2024-23944 --- content/security.html | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/content/security.html b/content/security.html index 376b34111..726a0d188 100644 --- a/content/security.html +++ b/content/security.html @@ -96,12 +96,29 @@ target="_top">secur...@zookeeper.apache.org</a>. In the message, try to provide <p>The ASF Security team maintains a page with a description of how vulnerabilities are handled, check their <a href="https://www.apache.org/security/">Web page</a> for more information.</p> <h2>Vulnerability reports</h2> <ul> +<li><a href="#CVE-2024-23944">CVE-2024-23944: Information disclosure in persistent watcher handling</a></li> <li><a href="#CVE-2023-44981">CVE-2023-44981: Authorization bypass in SASL Quorum Peer Authentication</a></li> <li><a href="#CVE-2019-0201">CVE-2019-0201: Information disclosure vulnerability in Apache ZooKeeper</a></li> <li><a href="#CVE-2018-8012">CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</a></li> <li><a href="#CVE-2017-5637">CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)</a></li> <li><a href="#CVE-2016-5017">CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell</a></li> </ul> +<p><a name="CVE-2024-23944"></a></p> +<h3>CVE-2024-23944: Information disclosure in persistent watcher handling</h3> +<p>Severity: critical</p> +<p>Affected versions:</p> +<ul> +<li>Apache ZooKeeper 3.9.0 through 3.9.1</li> +<li>Apache ZooKeeper 3.8.0 through 3.8.3</li> +<li>Apache ZooKeeper 3.6.0 through 3.7.2</li> +</ul> +<p>Description:</p> +<p>Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that onl [...] +<p>Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.</p> +<p>Credit:</p> +<p>周吉安(寒泉) <a href="mailto:zhoujian.zja@alibaba-inc.com">zhoujian.zja@alibaba-inc.com</a> (reporter)</p> +<p>References:</p> +<p><a href="https://zookeeper.apache.org/">https://zookeeper.apache.org/</a> <a href="https://www.cve.org/CVERecord?id=CVE-2024-23944">https://www.cve.org/CVERecord?id=CVE-2024-23944</a></p> <p><a name="CVE-2023-44981"></a></p> <h3>CVE-2023-44981: Authorization bypass in SASL Quorum Peer Authentication</h3> <p>Severity: critical</p> @@ -118,7 +135,7 @@ target="_top">secur...@zookeeper.apache.org</a>. In the message, try to provide <p>Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.</p> <p>See the documentation for more details on correct cluster administration.</p> <p>Credit:</p> -<p>Damien Diederen <a href="mailto:ddiederen@apache.org">ddiederen@apache.org</a> (reporter)</p> +<p>Damien Diederen <a href="mailto:ddiederen@apache.org">ddiederen@apache.org</a> (reporter)</p> <p>References:</p> <p><a href="https://zookeeper.apache.org/">https://zookeeper.apache.org/</a></p> <p><a href="https://www.cve.org/CVERecord?id=CVE-2023-44981">https://www.cve.org/CVERecord?id=CVE-2023-44981</a></p> @@ -129,7 +146,7 @@ target="_top">secur...@zookeeper.apache.org</a>. In the message, try to provide <p>Versions Affected: ZooKeeper prior to 3.4.14 ZooKeeper 3.5.0-alpha through 3.5.4-beta. The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected.</p> <p>Description: ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.</p> <p>Mitigation: Use an authentication method other than Digest (e.g. Kerberos) or upgrade to 3.4.14 or later (3.5.5 or later if on the 3.5 branch).</p> -<p>Credit: This issue was identified by Harrison Neal <a href="mailto:harrison@patchadvisor.com">harrison@patchadvisor.com</a> PatchAdvisor, Inc.</p> +<p>Credit: This issue was identified by Harrison Neal <a href="mailto:harrison@patchadvisor.com">harrison@patchadvisor.com</a> PatchAdvisor, Inc.</p> <p>References: https://issues.apache.org/jira/browse/ZOOKEEPER-1392</p> <p><a name="CVE-2018-8012"></a></p> <h3>CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication</h3>