Bug 1454808 (CVE-2017-5637)
Summary: | CVE-2017-5637 zookeeper: Incorrect input validation with wchp/wchc four letter words | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, aileenc, alazarot, chazlett, ctubbsii, ethan, etirelli, felias, hchiorea, hghasemb, java-sig-commits, jcoleman, jolee, jshepherd, kseifried, kverlaen, lpetrovi, mbaluch, mluscon, mwinkler, nwallace, pavelp, rrajasek, rzhang, s, tiwillia, tkirby, tstclair, vhalbert |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-11-30 16:58:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1454809, 1455642, 1455643 | ||
Bug Blocks: | 1454810, 1475996, 1500872 |
Description
Andrej Nemec
2017-05-23 13:43:38 UTC
Created zookeeper tracking bugs for this issue: Affects: fedora-all [bug 1454809] taking For fuse the recommended security practice to mitigate this issue is to deploy and operate zookeeper in a secured network where essentially the affected port are protected by the firewall. Additionally it should be assumed that only admin has access to the affected port and this port should not be made available to the world. I agree. ZooKeeper isn't designed to be run as a publicly available service. It's designed to be a coordination system for distributed applications deployed within a well-designed cluster architecture. If the input validation is buggy, that's certainly something to be addressed... but I'm not sure I'd call it a "security" bug, when the real security bug is the user operating it in an environment it wasn't designed for. That said, ZooKeeper is *very* stable in its API, from what I've seen, and it's generally *very* low risk to upgrade to the latest version to fix any known bugs, provided the dependencies are available. This issue has been addressed in the following products: Red Hat JBoss Data Virtualization Via RHSA-2017:2477 https://access.redhat.com/errata/RHSA-2017:2477 This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:3355 https://access.redhat.com/errata/RHSA-2017:3355 This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:3354 https://access.redhat.com/errata/RHSA-2017:3354 |