Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
The documentation regarding mutual ZooKeeper server to server authentication with DIGEST-MD5 currently doesn't mention whether this is insecure. DIGEST-MD5 was declared obsolete in 2011 due to security problems.
This is in relation to whether this is an effective mitigation for CVE-2018-8012 AKA ZOOKEEPER-1045, as mentioned in https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E.
Would the following be a fitting addition to the documentation?:
DIGEST-MD5 based authentication should not be relied on for authentication as it is insecure, it is only provided for test purposes.