[jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)

Tue, 14 Feb 2017 20:32:20 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867227#comment-15867227
 ] 

Michael Han commented on ZOOKEEPER-2693:
----------------------------------------

bq. I don't think we can go with an all/nothing approach, many users would 
still want to be able to monitor their system using existing 4lw based infra.
[~phunt] The current patch is for branch 3.5, where we have AdminServer, which 
is designed to replace four letter words. That is why the patch provides only 
an option to completely disable the entire four letter words instead of only 
disabling a specific subset. The AdminServer will make four letter words 
irrelevant and because AdminServer does not share the ZooKeeper client port 
(which sometimes have to be exposed publicly), admin of ensemble protected 
AdminServer port with firewall without interrupting ZooKeeper clients. Besides, 
this seems a good opportunity to push for deprecating four letter words in 
favor of AdminServer which is around for quite a while given the security 
concerns. 

Do you think we still need four letter words turn on by default for the coming 
3.5 release / master branch?

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK 
> client port - typically 2181. The following POC attack was recently published 
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to 
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service 
> and only allow access to trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to