[
https://issues.apache.org/jira/browse/NIFI-14721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18003475#comment-18003475
]
Pierre Villard commented on NIFI-14721:
---------------------------------------
The mentioned CVE does not apply to Zookeeper 3.9.3 which is the version used
in latest version of NiFi.
Besides, using the embedded zookeeper for NiFi is not recommended for
production and is only provided to make it easy for developers to run NiFi in
clustered mode for POCs and testing.
> Zookeeper for cluster mode exploit still available
> --------------------------------------------------
>
> Key: NIFI-14721
> URL: https://issues.apache.org/jira/browse/NIFI-14721
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.28.1, 2.4.0
> Reporter: WojciechWitos
> Priority: Major
>
> Exploit of:
> [Zookeeper 3.5.2 Client - Denial of Service - Multiple dos
> Exploit|https://www.exploit-db.com/exploits/42294]
> is still applicable even tho the zookeeper is in the newest version.
> Specification of the cluster:
> * 4 CPU
> * 20 GB Ram
> After running the code specified on the website with the specific number of
> threads: 10000 CPU usage from 10% goes to 35% or even more. When the cluster
> would have some load, it would cause application to crash (tested).
> Tried to disable those methods via zookeeper.properties but didn't work out.
> Issue still persist.
> Behavior of the application is the same in the NiFi 1.28.1 and the 2.4
> Unsafe options should've been disabled by default, but in the NiFi itself
> they are enabled somehow and allow this exploit.
> [ZooKeeper: Because Coordinating Distributed Systems is a
> Zoo|https://zookeeper.apache.org/doc/r3.9.3/zookeeperAdmin.html#Unsafe+Options]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
