[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867227#comment-15867227
]
Michael Han edited comment on ZOOKEEPER-2693 at 2/15/17 4:44 AM:
-----------------------------------------------------------------
bq. I don't think we can go with an all/nothing approach, many users would
still want to be able to monitor their system using existing 4lw based infra.
[~phunt] The current patch is for branch 3.5, where we have AdminServer, which
is designed to replace four letter words. That is why the patch provides only
an option to completely disable the entire four letter words instead of only
disabling a specific subset. The AdminServer will make four letter words
irrelevant and because AdminServer does not share the ZooKeeper client port
(which sometimes have to be exposed publicly), admin of ensemble protected
AdminServer port with firewall without interrupting ZooKeeper clients. Besides,
this seems a good opportunity to push for deprecating four letter words in
favor of AdminServer which is around for quite a while given the security
concerns.
Do you think we still need provide a middle ground for 4lws for 3.5 release /
master branch instead of completely shut it off?
was (Author: hanm):
bq. I don't think we can go with an all/nothing approach, many users would
still want to be able to monitor their system using existing 4lw based infra.
[~phunt] The current patch is for branch 3.5, where we have AdminServer, which
is designed to replace four letter words. That is why the patch provides only
an option to completely disable the entire four letter words instead of only
disabling a specific subset. The AdminServer will make four letter words
irrelevant and because AdminServer does not share the ZooKeeper client port
(which sometimes have to be exposed publicly), admin of ensemble protected
AdminServer port with firewall without interrupting ZooKeeper clients. Besides,
this seems a good opportunity to push for deprecating four letter words in
favor of AdminServer which is around for quite a while given the security
concerns.
Do you think we still need four letter words turn on by default for the coming
3.5 release / master branch?
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
