[ZOOKEEPER-2693] DOS attack on wchp/wchc four letter words (4lw) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.4.0, 3.5.1, 3.5.2
Fix Version/s: 3.4.10, 3.5.3, 3.6.0
Component/s: security, server
Labels:
- pull-request-available

Description

The wchp/wchc four letter words can be exploited in a DOS attack on the ZK client port - typically 2181. The following POC attack was recently published on the web:

https://vulners.com/exploitdb/EDB-ID:41277

The most straightforward way to block this attack is to not allow access to the client port to non-trusted clients - i.e. firewall the ZooKeeper service and only allow access to trusted applications using it for coordination.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ZOOKEEPER-2693-01.patch
21/Feb/17 03:23
8 kB
Mohammad Arshad

Issue Links

is related to

ZOOKEEPER-2726 Patch for ZOOKEEPER-2693 introduces potential race condition

Closed

relates to

ZOOKEEPER-2713 Create CVE text for ZOOKEEPER-2693 "DOS attack on wchp/wchc four letter words (4lw)"

Resolved

links to

GitHub Pull Request #

GitHub Pull Request #179

GitHub Pull Request #183

GitHub Pull Request #1608

(1 links to)

Activity

People

Assignee:: Michael Han

Reporter:: Patrick D. Hunt

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 14/Feb/17 03:33

Updated:: 06/Mar/21 21:36

Resolved:: 07/Mar/17 06:26

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 10m