Описание
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.
Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.
Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.
See the documentation for more details on correct cluster administration.
A flaw was found in Apache ZooKeeper. Authorization bypass through user-controlled key is available iff SASL Quorum Peer authentication is enabled in ZooKeeper via quorum.auth.enableSasl=true configuration. A malicious user could bypass the authentication controller by using a non-existing instance part in SASL authentication ID (which is optional), therefore, the server would skip this check and as a result, join the cluster and propagate information with complete read and write access.
Отчет
Red Hat AMQ 7 Broker and Red Hat AMQ Streams 2 use Zookeeper but do not use or enable the vulnerable functionality, Peer Authentication. They are affected at Moderate Impact by this flaw. Red Hat Fuse 7 uses Zookeeper but does not use any of its server capabilities and as such is not vulnerable, and so is affected at Low Impact by this flaw. Red Hat Process Automation Manager 7 and Red Hat Decision Manager 7 do not ship zookeeper, and so are not affected by this flaw. Red Hat Fuse 6 and AMQ 6 use Zookeeper but are not vulnerable to this flaw, and have been assessed as Important Impact and are as such out of security support scope for this flaw. Red Hat Business Process Manager Suite 6, Red Hat Business Rules Management Suite 6, Red Hat JBoss Data Virtualization 6, Red Hat OpenShift Application Runtime Vert-x, and Red Hat Fuse Service Works 6 are out of security support scope for this flaw. As no Red Hat products are affected at Critical Impact by this flaw, its overall impact has been reduced to Important.
Меры по смягчению последствий
According to Apache's document: Ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | zookeeper | Out of support scope | ||
| Red Hat Decision Manager 7 | zookeeper | Not affected | ||
| Red Hat Fuse 7 | zookeeper | Not affected | ||
| Red Hat JBoss A-MQ 6 | zookeeper | Out of support scope | ||
| Red Hat JBoss BRMS 6 | zookeeper | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | zookeeper | Out of support scope | ||
| Red Hat JBoss Fuse 6 | zookeeper | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | zookeeper | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | zookeeper | Out of support scope | ||
| Red Hat Process Automation 7 | zookeeper | Not affected |
Показывать по
Дополнительная информация
Статус:
9.1 Critical
CVSS3
Связанные уязвимости
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.
Authorization Bypass Through User-Controlled Key vulnerability in Apac ...
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper
Уязвимость функции аутентификации SASL Quorum Peer централизованной службы для поддержки информации о конфигурации, именования, обеспечения распределенной синхронизации и предоставления групповых служб Apache ZooKeeper, позволяющая нарушителю обойти ограничения безопасности и получить доступ на чтение, изменение или удаление данных
9.1 Critical
CVSS3