[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867293#comment-15867293
]
Patrick Hunt commented on ZOOKEEPER-2693:
-----------------------------------------
bq. The configuration option of disabling 4lw or a subset of it seems an
ultimate escape hatch
yes, this was my thought as well.
Your argument around having the rate limiter makes sense, that's one of the
things I was thinking about this morning when I originally recommended it. Now
I'm also leaning toward the "whitelist" approach because I think it's a very
clean solution to the problem. What I mean is no on/off config, just a single
configuration listing the whitelisted 4lw. If the list is empty it's off (the
map is empty), otw the user can select the commands they would like to expose.
If we implement something for 3.4 the same b/w compat argument should hold.
i.e. if we do rate limiting in 3.4 we should also have the same functionality
in 3.5.
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
