[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867335#comment-15867335
]
Michael Han commented on ZOOKEEPER-2693:
----------------------------------------
The compatibility argument makes most of sense - so how about this:
* For both 3.5/3.4, provide a new configuration option that allow admin of
ensemble to white list 4lw commands exposed to the world.
* If such an option is not provided in zoo.cfg ZK will choose a list of default
commands in white list. Otherwise what's put in zoo.cfg will overwrite default
values.
I think this is a good scoping that balances addressing this specific issue and
ease of implementation.
Rate limiter and deprecating 4lw in favor of AdminServer (for 3.5) can be done
as separate issues later (after 3.4.10 / 3.5.3 released).
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
