[
https://issues.apache.org/jira/browse/NIFI-14721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18003497#comment-18003497
]
Pierre Villard commented on NIFI-14721:
---------------------------------------
Not saying that it cannot be reproduced with the latest version, I have not
checked myself, I'm just saying that the CVE mentioned in the link is not
supposed to be applicable with the latest version of Zookeeper based on the
records. NiFi uses the latest version available so there is not much we can do
if such an issue exists, as far as I can tell. I'd bring the matter to the
Zookeeper community to see if there is still an issue to be solved.
> Zookeeper for cluster mode exploit still available
> --------------------------------------------------
>
> Key: NIFI-14721
> URL: https://issues.apache.org/jira/browse/NIFI-14721
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.28.1, 2.4.0
> Reporter: WojciechWitos
> Priority: Major
>
> Exploit of:
> [Zookeeper 3.5.2 Client - Denial of Service - Multiple dos
> Exploit|https://www.exploit-db.com/exploits/42294]
> is still applicable even tho the zookeeper is in the newest version.
> Specification of the cluster:
> * 4 CPU
> * 20 GB Ram
> After running the code specified on the website with the specific number of
> threads: 10000 CPU usage from 10% goes to 35% or even more. When the cluster
> would have some load, it would cause application to crash (tested).
> Tried to disable those methods via zookeeper.properties but didn't work out.
> Issue still persist.
> Behavior of the application is the same in the NiFi 1.28.1 and the 2.4
> Unsafe options should've been disabled by default, but in the NiFi itself
> they are enabled somehow and allow this exploit.
> [ZooKeeper: Because Coordinating Distributed Systems is a
> Zoo|https://zookeeper.apache.org/doc/r3.9.3/zookeeperAdmin.html#Unsafe+Options]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
