Bug 1715197 (CVE-2019-0201)

Summary: CVE-2019-0201 zookeeper: Information disclosure in Apache ZooKeeper
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, asmigala, ataylor, avibelli, bgeorges, chazlett, ctubbsii, drieden, etirelli, gvarsami, ibek, janstey, java-sig-commits, jbalunas, jcoleman, jochrist, jolee, jpallich, jschatte, jstastny, kconner, krathod, kverlaen, ldimaggi, lthon, mluscon, mnovotny, mszynkie, nwallace, paradhya, pgallagh, rrajasek, rruss, rsynek, rwagner, sdaley, s, tcunning, tkirby, trogers, tstclair, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zookeeper 3.6.0, zookeeper 3.5.5, zookeeper 3.4.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache ZooKeeper. A lack of permission checks while retrieving ACLs allows unsalted hash values to be disclosed for unauthenticated or unprivileged users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-17 18:51:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1715199, 1749734    
Bug Blocks: 1715201    

Description Laura Pardo 2019-05-29 19:28:12 UTC 
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.


References:
http://www.securityfocus.com/bid/108427
https://issues.apache.org/jira/browse/ZOOKEEPER-1392
https://zookeeper.apache.org/security.html#CVE-2019-0201
Comment 1 Laura Pardo 2019-05-29 19:28:53 UTC 
Created zookeeper tracking bugs for this issue:

Affects: fedora-all [bug 1715199]
Comment 2 Joshua Padman 2019-08-12 02:26:42 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 3 Chess Hazlett 2019-08-30 13:24:03 UTC 
Mitigation:

Use an authentication method other than Digest (e.g. Kerberos) or upgrade to zookeeper 3.4.14 or later (3.5.5 or later if on the 3.5 branch). [https://zookeeper.apache.org/security.html#CVE-2019-0201]
Comment 6 Andrej Smigala 2019-10-10 09:36:02 UTC 
Terribly sorry, updated the wrong bz
Comment 7 errata-xmlrpc 2019-10-17 14:55:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.4.8

Via RHSA-2019:3140 https://access.redhat.com/errata/RHSA-2019:3140
Comment 8 Product Security DevOps Team 2019-10-17 18:51:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-0201
Comment 9 errata-xmlrpc 2019-11-14 21:18:28 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.5.0

Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892
Comment 12 errata-xmlrpc 2019-12-19 17:38:01 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2019:4352 https://access.redhat.com/errata/RHSA-2019:4352