Описание
When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.
An authentication bypass vulnerability was found in Apache Zookeeper. The default configuration of the client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication by spoofing the client's IP address in request headers. The default configuration honors the X-Forwarded-For HTTP header to read the client's IP address, which can be easily spoofed by an attacker pretending that the request came from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily, can be executed on successful exploitation, potentially leading to information leakage or service availability issues.
Отчет
This vulnerability is considered an Important severity because it allows an attacker to bypass authentication by spoofing the client’s IP address, exploiting a weakness in ZooKeeper Admin Server's reliance on the X-Forwarded-For HTTP header for IP-based authentication. Unlike moderate vulnerabilities that might require additional conditions for exploitation, this flaw directly exposes critical admin commands—such as snapshot and restore—without requiring complex attack vectors. Successful exploitation can lead to unauthorized execution of sensitive commands, resulting in potential information leakage, data integrity risks, and service availability issues.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | org.apache.zookeeper/zookeeper | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | org.apache.zookeeper/zookeeper | Not affected | ||
| Red Hat AMQ Broker 7 | org.apache.zookeeper/zookeeper | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | org.apache.zookeeper/zookeeper | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | org.apache.zookeeper/zookeeper | Not affected | ||
| Red Hat build of Debezium 2 | org.apache.zookeeper/zookeeper | Not affected | ||
| Red Hat Data Grid 8 | org.apache.zookeeper/zookeeper | Not affected | ||
| Red Hat Fuse 7 | org.apache.zookeeper/zookeeper | Not affected | ||
| Red Hat Integration Camel K 1 | org.apache.zookeeper/zookeeper | Not affected | ||
| Red Hat JBoss Data Grid 7 | org.apache.zookeeper/zookeeper | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.
When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.
When using IPAuthenticationProvider in ZooKeeper Admin Server there is ...
Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server
Уязвимость компонента IPAuthenticationProvider централизованной службы для поддержки информации о конфигурации, именования, обеспечения распределенной синхронизации и предоставления групповых служб Apache ZooKeeper, позволяющая нарушителю обойти процесс аутентификации
EPSS
7.3 High
CVSS3