Bug 1454808 (CVE-2017-5637)

Summary: CVE-2017-5637 zookeeper: Incorrect input validation with wchp/wchc four letter words
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, aileenc, alazarot, chazlett, ctubbsii, ethan, etirelli, felias, hchiorea, hghasemb, java-sig-commits, jcoleman, jolee, jshepherd, kseifried, kverlaen, lpetrovi, mbaluch, mluscon, mwinkler, nwallace, pavelp, rrajasek, rzhang, s, tiwillia, tkirby, tstclair, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-30 16:58:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1454809, 1455642, 1455643    
Bug Blocks: 1454810, 1475996, 1500872    

Description Andrej Nemec 2017-05-23 13:43:38 UTC 
Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests.

Upstream issue:

https://issues.apache.org/jira/browse/ZOOKEEPER-2693

References:

https://vulners.com/exploitdb/EDB-ID:41277
Comment 1 Andrej Nemec 2017-05-23 13:44:23 UTC 
Created zookeeper tracking bugs for this issue:

Affects: fedora-all [bug 1454809]
Comment 5 Pavel Polischouk 2017-07-24 18:32:59 UTC 
taking
Comment 6 Hooman Broujerdi 2017-07-25 02:19:07 UTC 
For fuse the recommended security practice to mitigate this issue is to deploy and operate zookeeper in a secured network where essentially the affected port are protected by the firewall. Additionally it should be assumed that only admin has access to the affected port and this port should not be made available to the world.
Comment 7 Christopher Tubbs 2017-07-25 02:57:38 UTC 
I agree. ZooKeeper isn't designed to be run as a publicly available service. It's designed to be a coordination system for distributed applications deployed within a well-designed cluster architecture.

If the input validation is buggy, that's certainly something to be addressed... but I'm not sure I'd call it a "security" bug, when the real security bug is the user operating it in an environment it wasn't designed for.

That said, ZooKeeper is *very* stable in its API, from what I've seen, and it's generally *very* low risk to upgrade to the latest version to fix any known bugs, provided the dependencies are available.
Comment 8 errata-xmlrpc 2017-08-15 15:09:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization

Via RHSA-2017:2477 https://access.redhat.com/errata/RHSA-2017:2477
Comment 9 errata-xmlrpc 2017-11-30 16:46:50 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite

Via RHSA-2017:3355 https://access.redhat.com/errata/RHSA-2017:3355
Comment 10 errata-xmlrpc 2017-11-30 16:48:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS

Via RHSA-2017:3354 https://access.redhat.com/errata/RHSA-2017:3354