Bug 1454808 (CVE-2017-5637) - CVE-2017-5637 zookeeper: Incorrect input validation with wchp/wchc four letter words
Summary: CVE-2017-5637 zookeeper: Incorrect input validation with wchp/wchc four lette...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-5637
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1454809 1455642 1455643
Blocks: 1454810 1475996 1500872
TreeView+ depends on / blocked
 
Reported: 2017-05-23 13:43 UTC by Andrej Nemec
Modified: 2019-09-29 14:13 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests.
Clone Of:
Environment:
Last Closed: 2017-11-30 16:58:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2477 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.3 Update 7 security update 2017-08-15 19:07:56 UTC
Red Hat Product Errata RHSA-2017:3354 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS 6.4.7 security update 2017-11-30 21:47:01 UTC
Red Hat Product Errata RHSA-2017:3355 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite 6.4.7 security update 2017-11-30 21:46:10 UTC

Description Andrej Nemec 2017-05-23 13:43:38 UTC
Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests.

Upstream issue:

https://issues.apache.org/jira/browse/ZOOKEEPER-2693

References:

https://vulners.com/exploitdb/EDB-ID:41277

Comment 1 Andrej Nemec 2017-05-23 13:44:23 UTC
Created zookeeper tracking bugs for this issue:

Affects: fedora-all [bug 1454809]

Comment 5 Pavel Polischouk 2017-07-24 18:32:59 UTC
taking

Comment 6 Hooman Broujerdi 2017-07-25 02:19:07 UTC
For fuse the recommended security practice to mitigate this issue is to deploy and operate zookeeper in a secured network where essentially the affected port are protected by the firewall. Additionally it should be assumed that only admin has access to the affected port and this port should not be made available to the world.

Comment 7 Christopher Tubbs 2017-07-25 02:57:38 UTC
I agree. ZooKeeper isn't designed to be run as a publicly available service. It's designed to be a coordination system for distributed applications deployed within a well-designed cluster architecture.

If the input validation is buggy, that's certainly something to be addressed... but I'm not sure I'd call it a "security" bug, when the real security bug is the user operating it in an environment it wasn't designed for.

That said, ZooKeeper is *very* stable in its API, from what I've seen, and it's generally *very* low risk to upgrade to the latest version to fix any known bugs, provided the dependencies are available.

Comment 8 errata-xmlrpc 2017-08-15 15:09:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization

Via RHSA-2017:2477 https://access.redhat.com/errata/RHSA-2017:2477

Comment 9 errata-xmlrpc 2017-11-30 16:46:50 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite

Via RHSA-2017:3355 https://access.redhat.com/errata/RHSA-2017:3355

Comment 10 errata-xmlrpc 2017-11-30 16:48:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS

Via RHSA-2017:3354 https://access.redhat.com/errata/RHSA-2017:3354


Note You need to log in before you can comment on or make changes to this bug.