Graeme Colman of Red Hat reported a sensitive data exposure flaw in Apache Zookeeper. An admin user's password appeared in plaintext in binary log files. A local user could read this information and use it to gain administrative access to the application. Update 2018-08-06: JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.
Acknowledgements: This issue was discovered by Graeme Colman of Red Hat.
This issue has been addressed in following products: Red Hat JBoss AM-Q 6.1.0 Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html
This issue has been addressed in following products: Red Hat JBoss Fuse 6.1.0 Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Could you provide more details on this bug? I'm guessing the binary log files refers to the transaction log files, and admin user's password is the password for znode's ACLs. Is that correct?
Also, it would be great if you can share the fix so that the issue can be addressed in the upstream code base. Thanks!
Statement: This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.