Dear Patrick Hunt:
I opened two issues in the JIRA:
https://issues.apache.org/jira/browse/ZOOKEEPER-3488 and
https://issues.apache.org/jira/browse/ZOOKEEPER-3489
I am very sorry that I cannot reply
https://lists.apache.org/thread.html/ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b
<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b-40-253Cuser.zookeeper.apache.org-253E&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=mZcIhnGSnLca5JxJbOoKzoTiSuQQZmtyDo_eadoJHcw&e=>
Please confirm them and give them CVE IDs.
Thank you very much!
Yours sincerely
Xiaoqin Fu
On Mon, Aug 5, 2019 at 6:23 PM Xiaoqin Fu <[email protected]> wrote:
> Dear Patrick Hunt:
> I opened two issues in the JIRA:
> https://issues.apache.org/jira/browse/ZOOKEEPER-3488 and
> https://issues.apache.org/jira/browse/ZOOKEEPER-3489
> I am very sorry that I cannot reply
> https://lists.apache.org/thread.html/ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b-40-253Cuser.zookeeper.apache.org-253E&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=mZcIhnGSnLca5JxJbOoKzoTiSuQQZmtyDo_eadoJHcw&e=>
> Please confirm them and give them CVE IDs.
>
>
> Thank you very much!
> Yours sincerely
> Xiaoqin Fu
>
>
> On Fri, Aug 2, 2019 at 11:20 AM Patrick Hunt <[email protected]> wrote:
>
>> I know. :-) Once a vulnerability has been publicly disclosed there is no
>> value in handling it on the security@ list - that's for undisclosed
>> vulnerabilities to be handled in a responsible (private) manner until a fix
>> can be released to end users. You can see the process here:
>> https://www.apache.org/security/committers.html
>>
>> Regards,
>>
>> Patrick
>>
>> On Fri, Aug 2, 2019 at 10:24 AM Xiaoqin Fu <[email protected]> wrote:
>>
>>> Dear Patrick Hunt:
>>>
>>> https://lists.apache.org/thread.html/ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b@<user.zookeeper.apache.org>
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b-40-253Cuser.zookeeper.apache.org-253E&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=mZcIhnGSnLca5JxJbOoKzoTiSuQQZmtyDo_eadoJHcw&e=>
>>> was
>>> disclosed by me.
>>>
>>> Thank you very much!
>>> Yours sincerely
>>> Xiaoqin Fu
>>>
>>>
>>> On Fri, Aug 2, 2019 at 11:04 AM Patrick Hunt <[email protected]> wrote:
>>>
>>>> Hi Xiaoqin Fu. Thank you for the report. The Apache Software Foundation
>>>> and the Apache ZooKeeper project takes security issues very seriously.
>>>>
>>>> Unfortunately this issue has already been publicly disclosed on both
>>>> the dev and user lists:
>>>>
>>>> https://lists.apache.org/thread.html/ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b@<user.zookeeper.apache.org>
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_ea0f515bcb994bae54e62584c2c659b83efa4d22e741d4b688c4479b-40-253Cuser.zookeeper.apache.org-253E&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=mZcIhnGSnLca5JxJbOoKzoTiSuQQZmtyDo_eadoJHcw&e=>
>>>> as such please follow our standard processes documented here:
>>>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToContribute
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_ZOOKEEPER_HowToContribute&d=DwMFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-Je7sw&r=I7kF79XmGGZ9RLTiorMoewvoyduMXtLcRb1B2epe9cI&m=C_FrvfYh4GtqQesDyKDl4kau6xsDwvLGHAA0IZB9etE&s=vhQg3XrZS-o0UME9EYvtoCerG-ZNtJhTtbvo1M_MasM&e=>
>>>> -
>>>> the community will work with you to get the issue resolved.
>>>>
>>>> Regards,
>>>>
>>>> Patrick
>>>>
>>>>
>>>> On Fri, Aug 2, 2019 at 3:35 AM Fu, Xiaoqin <[email protected]> wrote:
>>>>
>>>>> Dear developers:
>>>>> I am a Ph.D. student at Washington State University. I applied
>>>>> dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
>>>>> And then I find several bugs, that exist from 3.4.11-3.4.14 and 3.5.5,
>>>>> from
>>>>> tainted paths:
>>>>>
>>>>> 1. In org.apache.zookeeper.server.ZooKeeperServer:
>>>>> public ZooKeeperServer(FileTxnSnapLog txnLogFactory, int tickTime,
>>>>> int minSessionTimeout, int maxSessionTimeout, ZKDatabase
>>>>> zkDb) {
>>>>> ......
>>>>> LOG.info("Created server with tickTime " + tickTime
>>>>> + " minSessionTimeout " + getMinSessionTimeout()
>>>>> + " maxSessionTimeout " + getMaxSessionTimeout()
>>>>> + " datadir " + txnLogFactory.getDataDir()
>>>>> + " snapdir " + txnLogFactory.getSnapDir());
>>>>> ......
>>>>> }
>>>>> public void finishSessionInit(ServerCnxn cnxn, boolean valid)
>>>>> ......
>>>>> if (!valid) {
>>>>> LOG.info("Invalid session 0x"
>>>>> + Long.toHexString(cnxn.getSessionId())
>>>>> + " for client "
>>>>> + cnxn.getRemoteSocketAddress()
>>>>> + ", probably expired");
>>>>> cnxn.sendBuffer(ServerCnxnFactory.closeConn);
>>>>> } else {
>>>>> LOG.info("Established session 0x"
>>>>> + Long.toHexString(cnxn.getSessionId())
>>>>> + " with negotiated timeout " +
>>>>> cnxn.getSessionTimeout()
>>>>> + " for client "
>>>>> + cnxn.getRemoteSocketAddress());
>>>>> cnxn.enableRecv();
>>>>> }
>>>>> ......
>>>>> }
>>>>> Sensitive information about DataDir, SnapDir, SessionId and
>>>>> RemoteSocketAddress may be leaked. I think that it is better to add
>>>>> LOG.isInfoEnabled() conditional statements:
>>>>> public ZooKeeperServer(FileTxnSnapLog txnLogFactory, int tickTime,
>>>>> int minSessionTimeout, int maxSessionTimeout, ZKDatabase
>>>>> zkDb) {
>>>>> ......
>>>>> if (LOG.isInfoEnabled())
>>>>> LOG.info("Created server with tickTime " + tickTime
>>>>> + " minSessionTimeout " + getMinSessionTimeout()
>>>>> + " maxSessionTimeout " + getMaxSessionTimeout()
>>>>> + " datadir " + txnLogFactory.getDataDir()
>>>>> + " snapdir " + txnLogFactory.getSnapDir());
>>>>> ......
>>>>> }
>>>>> public void finishSessionInit(ServerCnxn cnxn, boolean valid) {
>>>>> ......
>>>>> if (!valid) {
>>>>> if (LOG.isInfoEnabled())
>>>>> LOG.info("Invalid session 0x"
>>>>> + Long.toHexString(cnxn.getSessionId())
>>>>> + " for client "
>>>>> + cnxn.getRemoteSocketAddress()
>>>>> + ", probably expired");
>>>>> cnxn.sendBuffer(ServerCnxnFactory.closeConn);
>>>>> } else {
>>>>> if (LOG.isInfoEnabled())
>>>>> LOG.info("Established session 0x"
>>>>> + Long.toHexString(cnxn.getSessionId())
>>>>> + " with negotiated timeout " +
>>>>> cnxn.getSessionTimeout()
>>>>> + " for client "
>>>>> + cnxn.getRemoteSocketAddress());
>>>>> cnxn.enableRecv();
>>>>> }
>>>>> ......
>>>>> }
>>>>> The LOG.isInfoEnabled() conditional statement already exists in
>>>>> org.apache.zookeeper.server.persistence.FileTxnLog:
>>>>> public synchronized boolean append(TxnHeader hdr, Record txn) throws
>>>>> IOException {
>>>>> { ......
>>>>> if(LOG.isInfoEnabled()){
>>>>> LOG.info("Creating new log file: " + Util.makeLogName(hdr.getZxid()));
>>>>> }
>>>>> ......
>>>>> }
>>>>> 2. In org.apache.zookeeper.ClientCnxn$SendThread,
>>>>> void readResponse(ByteBuffer incomingBuffer) throws
>>>>> IOException {
>>>>> ......
>>>>> LOG.warn("Got server path " + event.getPath()
>>>>> + " which is too short for chroot path "
>>>>> + chrootPath);
>>>>> ......
>>>>> }
>>>>> Sensitive information about event path and chroot path may be leaked.
>>>>> The LOG.isWarnEnabled() conditional statement should be added:
>>>>> void readResponse(ByteBuffer incomingBuffer) throws IOException {
>>>>> ......
>>>>> if (LOG.isWarnEnabled())
>>>>> LOG.warn("Got server path " + event.getPath()
>>>>> + " which is too short for chroot path "
>>>>> + chrootPath);
>>>>> ......
>>>>> }
>>>>>
>>>>> Please help me confirm them and give them CVE IDs.
>>>>>
>>>>> Thank you very much!
>>>>> Yours sincerely
>>>>> Xiaoqin Fu
>>>>>
>>>>>
