[
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15870693#comment-15870693
]
ASF GitHub Bot commented on ZOOKEEPER-2693:
-------------------------------------------
Github user hanm commented on the issue:
https://github.com/apache/zookeeper/pull/179
Thanks everyone for feedback. Updated pull request to address your review
comments. One change I made on latest update is to introduce an internal Java
system property zookeeper.test.4lw.enabled for tests so we don't have to copy
paste the lengthy set up code for zookeeper.4lw.commands.whitelist property and
use zookeeper.test.4lw.enabled instead providing an elegant switch.
zookeeper.4lw.commands.whitelist is still used in some tests to provide
complete code coverage for new code paths introduced.
All tests should be green now.
> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
> Key: ZOOKEEPER-2693
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.0, 3.5.1, 3.5.2
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.10, 3.5.3
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK
> client port - typically 2181. The following POC attack was recently published
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service
> and only allow access to trusted applications using it for coordination.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
