Those points do not seem a security issue
Enrico
Il ven 9 ago 2019, 17:52 Fu, Xiaoqin <xiaoqin...@wsu.edu> ha scritto:
> Dear developers:
> I am a Ph.D. student at Washington State University. I applied
> dynamic taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11).
> And then I find a security vulnerability, that exists from 3.4.11-3.4.14
> and 3.5.5, from tainted paths.
>
> Possible information leakage from FileTxnSnapLog to log without LOG
> control LOG.isDebugEnabled():
> In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
> LOG.debug don't have LOG controls:
> public void processTransaction(TxnHeader hdr,DataTree dt,
> Map<Long, Integer> sessions, Record txn)
> throws KeeperException.NoNodeException {
> ......
> if (rc.err != Code.OK.intValue()) {
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> + ", error: " + rc.err + ", path: " + rc.path);
> }
> ......
> }
>
> Sensitive information about hdr type or rc path may be leaked. The
> conditional statement LOG.isDebugEnabled() should be added:
> public void processTransaction(TxnHeader hdr,DataTree dt,
> Map<Long, Integer> sessions, Record txn)
> throws KeeperException.NoNodeException {
> ......
> if (rc.err != Code.OK.intValue()) {
> if (LOG.isDebugEnabled())
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> + ", error: " + rc.err + ", path: " + rc.path);
> }
> ......
> }
> Please help me confirm it and give it a CVE ID.
>
> Thank you very much!
> Yours sincerely
> Xiaoqin Fu
>
>
