Patrick, Thanks for clarifying. Turns out I did the config right from the get-go, just got momentarily confused by all of the port numbers. :)
=== For anyone who’s running CentOS/RHEL boxes, here’s what we used for a 3-node ZooKeeper cluster with static IPs, to limit access to the election & quorum ports only to the cluster members (if using 2888 & 3888) . # Open the firewall for Zookeeper sudo firewall-cmd --zone=public --add-port=2181/tcp --permanent # Open up the ZooKeeper cluster & election ports to each other IP1=`dig +short $ZOOKEEPER_SERVER1` IP2=`dig +short $ZOOKEEPER_SERVER2` IP3=`dig +short $ZOOKEEPER_SERVER3` sudo firewall-cmd --permanent --zone=public --add-rich-rule=" rule family=\"ipv4\" source address=\"$IP1/32\" port protocol=\"tcp\" port=\"2888\" accept" sudo firewall-cmd --permanent --zone=public --add-rich-rule=" rule family=\"ipv4\" source address=\"$IP1/32\" port protocol=\"tcp\" port=\"3888\" accept" sudo firewall-cmd --permanent --zone=public --add-rich-rule=" rule family=\"ipv4\" source address=\"$IP2/32\" port protocol=\"tcp\" port=\"2888\" accept" sudo firewall-cmd --permanent --zone=public --add-rich-rule=" rule family=\"ipv4\" source address=\"$IP2/32\" port protocol=\"tcp\" port=\"3888\" accept" sudo firewall-cmd --permanent --zone=public --add-rich-rule=" rule family=\"ipv4\" source address=\"$IP3/32\" port protocol=\"tcp\" port=\"2888\" accept" sudo firewall-cmd --permanent --zone=public --add-rich-rule=" rule family=\"ipv4\" source address=\"$IP3/32\" port protocol=\"tcp\" port=\"3888\" accept" # Restart the firewall so the changes take effect sudo firewall-cmd --reload [cid:[email protected]] Philip Lowman Sr. Software Security Engineer WorkForce Software | 38705 Seven Mile Road, Livonia, MI 48152 T: +1 734-742-3610 | E: [email protected]<mailto:[email protected]> On May 26, 2018, at 2:45 PM, Patrick Hunt <[email protected]<mailto:[email protected]>> wrote: On Fri, May 25, 2018 at 8:38 AM Philip Lowman <[email protected]<mailto:[email protected]>> wrote: Hello, In regards to the CVE-2018-8012<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.apache.org%2Fthread.html%2Fc75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393%40%253Cdev.zookeeper.apache.org%253E&data=02%7C01%7C%7Ce1c7476001cb487bd36008d5c338e402%7Cc61157e903cb47589165ee7845cb0ca3%7C0%7C0%7C636629571472840072&sdata=%2Fu02%2FxaVgav%2FkTV%2FIimBspc6vQkTiOjNAwmPJCrtq%2FM%3D&reserved=0> advisory posted on Monday, it contains the following statement “Alternatively ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue”. I just wanted to ask (or hopefully just confirm), does this communication exclusively travel over the “leader election port”? In example configuration files the leader election port (see server.x in the docs<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fzookeeper.apache.org%2Fdoc%2Fcurrent%2FzookeeperAdmin.html%23sc_configuration&data=02%7C01%7C%7Ce1c7476001cb487bd36008d5c338e402%7Cc61157e903cb47589165ee7845cb0ca3%7C0%7C0%7C636629571472996325&sdata=3EqVaR3%2FFh%2B4SNOWH9l3xHlH9KZLU6Th3fpcTztMNVs%3D&reserved=0>) is typically defined to be port 3888. server.1=zoo1:2888:3888 server.2=zoo2:2888:3888 server.3=zoo3:2888:3888 Hi Philip, The firewall would need to protect both the election and quorum ports - those are the two numbers at the end of the server.# configuration parameters. See http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_clusterOptions<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fzookeeper.apache.org%2Fdoc%2Fcurrent%2FzookeeperAdmin.html%23sc_clusterOptions&data=02%7C01%7C%7Ce1c7476001cb487bd36008d5c338e402%7Cc61157e903cb47589165ee7845cb0ca3%7C0%7C0%7C636629571472996325&sdata=nKQJ1pUhOorUkz5d7wbo1afLv8ipHG7MEyl%2B02nWC7E%3D&reserved=0> for more details on that config option. Patrick Thanks [cid:[email protected]] Philip Lowman Sr. Software Security Engineer WorkForce Software | 38705 Seven Mile Road, Livonia, MI 48152 T: +1 734-742-3610 | E: [email protected]<mailto:[email protected]> This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged, confidential or otherwise legally exempt from disclosure. If you are not the named addressee, or have been inadvertently and erroneously referenced in the address line, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. (ID m031214)
