[
https://issues.apache.org/jira/browse/ZOOKEEPER-4977?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhangpeng updated ZOOKEEPER-4977:
---------------------------------
Attachment: 5F7DE753-B347-43A9-9B84-401BA743C4C1.png
> superDigest configuration found in embedded pom.xml within zookeeper-3.9.3.jar
> ------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4977
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4977
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.9.3
> Reporter: zhangpeng
> Priority: Critical
> Labels: security
> Attachments: 5F7DE753-B347-43A9-9B84-401BA743C4C1.png
>
>
> {{superDigest}} configuration found in embedded {{pom.xml}} within
> zookeeper-3.9.3.jar
>
> <zookeeper.DigestAuthenticationProvider.superDigest>super:D/InIHSb7yEEbrWz8b9l71RjZJU=</zookeeper.DigestAuthenticationProvider.superDigest>
>
> *Environment:*
> * ZooKeeper Version: 3.9.3 (the official binary distribution from Maven
> Central)
> * JDK Version: N/A (discovered during static analysis of the JAR file)
> * OS: N/A
> *Problem Description:*
> During a routine security audit of our application dependencies, we
> discovered that the {{zookeeper-3.9.3.jar}} file contains its own {{pom.xml}}
> file at the path
> {{{}META-INF/maven/org.apache.zookeeper/zookeeper/pom.xml{}}}. This embedded
> {{pom.xml}} file includes a property configuration for
> {{zookeeper.DigestAuthenticationProvider.superDigest}} with a pre-defined
> hash value.
> *Steps to Reproduce:*
> # Download the official {{org.apache.zookeeper:zookeeper:3.9.3}} JAR from
> Maven Central.
> # Extract the JAR file or use a tool ({{{}jar -tf{}}}, {{{}unzip -l{}}},
> IDE) to list its contents.
> # Locate the file {{META-INF/maven/org.apache.zookeeper/zookeeper/pom.xml}}
> inside the JAR.
> # Inspect the content of this {{pom.xml}} file. On line 283 (or nearby), you
> will find:
> {{<zookeeper.DigestAuthenticationProvider.superDigest>super:D/InIHSb7yEEbrWz8b9l71RjZJU=</zookeeper.DigestAuthenticationProvider.superDigest>}}
> *Expected Behavior:*
> The published binary JAR artifacts should not contain any residual or testing
> configuration files that include sensitive properties, especially those
> related to security authentication like the superuser digest. The
> build/packaging process should strip such elements from the final release
> artifact.
> *Actual Behavior:*
> The released {{zookeeper-3.9.3.jar}} contains an embedded {{pom.xml}} which
> includes a configured {{superDigest}} property. While this is a hash and not
> a plaintext password, its presence in a widely distributed binary is a
> potential security risk.
> *Potential Risk:*
> # *Information Disclosure:* This exposes a known credential hash, which
> violates the principle of least surprise and could be used in conjunction
> with other vulnerabilities (e.g., CVE-2014-085 - information disclosure in
> logs).
> # *Increased Attack Surface:* If an attacker gains access to the JAR file
> (e.g., through a deployment leak), they extract this hash. Although SHA-1
> hashing is used, it could potentially be targeted for brute-force attacks if
> the original password was weak, potentially granting superuser access to a
> ZooKeeper ensemble.
> # *Bad Practice:* The presence of this configuration, even if not activated
> by default, sets a poor security precedent for users who might find it and
> mistakenly use it without generating a new secure digest.
>
> !image-2025-09-15-16-00-33-152.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
