I missed that step. It's updated now. Thanks! Patrick
On Mon, May 21, 2018 at 10:27 AM s n <[email protected]> wrote: > Is it possible to add it to this page > https://zookeeper.apache.org/security.html > > > On Mon, May 21, 2018 at 9:51 AM, Patrick Hunt <[email protected]> wrote: > > > CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication > > > > Severity: Critical > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > ZooKeeper prior to 3.4.10 > > ZooKeeper 3.5.0-alpha through 3.5.3-beta > > The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected > > > > Description: > > No authentication/authorization is enforced when a server attempts to > join > > a quorum. As a result an arbitrary end point could join the cluster and > > begin propagating counterfeit changes to the leader. > > > > Mitigation: > > Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and > > enable Quorum Peer mutual authentication. > > > > Alternately ensure the ensemble election/quorum communication is > protected > > by a firewall as this will mitigate the issue. > > > > See the documentation for more details on correct cluster administration. > > > > Credit: > > This issue was identified by Földi Tamás and Eugene Koontz > > > > References: > > https://issues.apache.org/jira/browse/ZOOKEEPER-1045 > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > > Server-Server+mutual+authentication > > http://zookeeper.apache.org/doc/current/zookeeperAdmin.html > > >
