Описание
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
A flaw was found in Apache ZooKeeper. A lack of permission checks while retrieving ACLs allows unsalted hash values to be disclosed for unauthenticated or unprivileged users.
Меры по смягчению последствий
Use an authentication method other than Digest (e.g. Kerberos) or upgrade to zookeeper 3.4.14 or later (3.5.5 or later if on the 3.5 branch). [https://zookeeper.apache.org/security.html#CVE-2019-0201]
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | zookeeper | Out of support scope | ||
| Red Hat JBoss BRMS 6 | zookeeper | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | zookeeper | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | zookeeper | Not affected | ||
| streams for Apache Kafka | zookeeper | Not affected | ||
| Red Hat Fuse 6.3 | zookeeper | Fixed | RHSA-2019:4352 | 19.12.2019 |
| Red Hat Fuse 6.3 | zookeeper | Fixed | RHSA-2019:4352 | 19.12.2019 |
| Red Hat Fuse 7.5.0 | zookeeper | Fixed | RHSA-2019:3892 | 14.11.2019 |
| Red Hat JBoss Data Virtualization 6.4.8 | zookeeper | Fixed | RHSA-2019:3140 | 17.10.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alph ...
Уязвимость реализации команды getACL() централизованной службы для поддержки информации о конфигурации, именования, обеспечения распределенной синхронизации и предоставления групповых служб Apache ZooKeeper, позволяющая нарушителю раскрыть некоторые значения хеш-функции
EPSS
7.5 High
CVSS3