Is it possible to add it to this page https://zookeeper.apache.org/security.html
On Mon, May 21, 2018 at 9:51 AM, Patrick Hunt <[email protected]> wrote: > CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication > > Severity: Critical > > Vendor: > The Apache Software Foundation > > Versions Affected: > ZooKeeper prior to 3.4.10 > ZooKeeper 3.5.0-alpha through 3.5.3-beta > The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected > > Description: > No authentication/authorization is enforced when a server attempts to join > a quorum. As a result an arbitrary end point could join the cluster and > begin propagating counterfeit changes to the leader. > > Mitigation: > Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and > enable Quorum Peer mutual authentication. > > Alternately ensure the ensemble election/quorum communication is protected > by a firewall as this will mitigate the issue. > > See the documentation for more details on correct cluster administration. > > Credit: > This issue was identified by Földi Tamás and Eugene Koontz > > References: > https://issues.apache.org/jira/browse/ZOOKEEPER-1045 > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > Server-Server+mutual+authentication > http://zookeeper.apache.org/doc/current/zookeeperAdmin.html >
