[jira] [Commented] (ZOOKEEPER-2693) DOS attack on wchp/wchc four letter words (4lw)

Tue, 21 Feb 2017 14:33:05 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876881#comment-15876881
 ] 

Michael Han commented on ZOOKEEPER-2693:
----------------------------------------

bq. srvr is used in zookeeper/bin/zkServer.sh status
bq. isro is used in org.apache.zookeeper.ClientCnxn.SendThread.pingRwServer()

Good catch [~arshadmohammad] -  I hope this is an exhaustive list of 4lw used 
by ZK :) are there other commands used by ZK itself if you may know?

Read only server is disabled by default, so we can leave isro out of white list 
by default and document in admin manual that if read only server is enabled, 
this command must be put back in white list. We can use a separate JIRA to get 
ride of isro from ZooKeeper client library later. 

For srvr, it is only used in zkServer.sh's stat option - not sure if anyone 
actually use this feature but we could just remove the Stat option from 
zkServer.sh so we don't have to include srvr in whitelist. Another option is to 
include srvr in white list by default for 3.4/3.5. I think include it by 
default in whitelist sounds the way to go from a compatibility point of view.

> DOS attack on wchp/wchc four letter words (4lw)
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-2693
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.0, 3.5.1, 3.5.2
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.10, 3.5.3
>
>         Attachments: ZOOKEEPER-2693-01.patch
>
>
> The wchp/wchc four letter words can be exploited in a DOS attack on the ZK 
> client port - typically 2181. The following POC attack was recently published 
> on the web:
> https://webcache.googleusercontent.com/search?q=cache:_CNGIz10PRYJ:https://www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us
> The most straightforward way to block this attack is to not allow access to 
> the client port to non-trusted clients - i.e. firewall the ZooKeeper service 
> and only allow access to trusted applications using it for coordination.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to