Описание
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
Отчет
Zookeeper is not designed to run as a publicly available service and it always needs to be deployed and operated in a secured environment. As a result it is assumed that no zookeeper ports are available publically, so with this assumption JBoss Fuse is not affected by this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | zookeeper | Not affected | ||
| Red Hat Fuse 7 | zookeeper | Not affected | ||
| Red Hat JBoss A-MQ 6 | zookeeper | Will not fix | ||
| Red Hat JBoss BRMS 6 | zookeeper | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | zookeeper | Not affected | ||
| Red Hat JBoss Fuse 6 | zookeeper | Will not fix | ||
| Red Hat JBoss Fuse Integration Service 2 | zookeeper | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | zookeeper | Not affected | ||
| Red Hat OpenShift Application Runtimes | zookeeper | Not affected | ||
| streams for Apache Kafka | zookeeper | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
7.4 High
CVSS3
Связанные уязвимости
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
No authentication/authorization is enforced when a server attempts to ...
Уязвимость централизованной службы для поддержки информации о конфигурации, именования, обеспечения распределенной синхронизации и предоставления групповых служб Apache ZooKeeper, позволяющая нарушителю записать произвольные файлы в операционной системе уязвимого устройства
7.4 High
CVSS3