Red Hat Bugzilla – Bug 1454808
CVE-2017-5637 zookeeper: Incorrect input validation with wchp/wchc four letter words
Last modified: 2018-02-12 06:18:27 EST
Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Upstream issue: https://issues.apache.org/jira/browse/ZOOKEEPER-2693 References: https://vulners.com/exploitdb/EDB-ID:41277
Created zookeeper tracking bugs for this issue: Affects: fedora-all [bug 1454809]
taking
For fuse the recommended security practice to mitigate this issue is to deploy and operate zookeeper in a secured network where essentially the affected port are protected by the firewall. Additionally it should be assumed that only admin has access to the affected port and this port should not be made available to the world.
I agree. ZooKeeper isn't designed to be run as a publicly available service. It's designed to be a coordination system for distributed applications deployed within a well-designed cluster architecture. If the input validation is buggy, that's certainly something to be addressed... but I'm not sure I'd call it a "security" bug, when the real security bug is the user operating it in an environment it wasn't designed for. That said, ZooKeeper is *very* stable in its API, from what I've seen, and it's generally *very* low risk to upgrade to the latest version to fix any known bugs, provided the dependencies are available.
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization Via RHSA-2017:2477 https://access.redhat.com/errata/RHSA-2017:2477
This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:3355 https://access.redhat.com/errata/RHSA-2017:3355
This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:3354 https://access.redhat.com/errata/RHSA-2017:3354