Apache ZooKeeper官网安全更新(2018-03-09)

来源:Apache ZooKeeper官网 发布日期:2018-03-09 阅读次数:312

基本信息

发布日期:2018-03-09(官方当地时间)

更新类型: 安全更新

更新版本: 未知

感知时间:2019-12-06 14:43:10

风险等级: 严重

情报贡献: TSRC

更新标题

CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication

更新详情

CVE-2018-8012">
CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: ZooKeeper prior to 3.4.10 ZooKeeper 3.5.0-alpha through 3.5.3-beta The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected
Description: No authentication/authorization is enforced when a server attempts to join a quorum. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
Mitigation: Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and enable Quorum Peer mutual authentication.
Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.
See the documentation for more details on correct cluster administration.
Credit: This issue was identified by Földi Tamás and Eugene Koontz
References: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication http://zookeeper.apache.org/doc/current/zookeeperAdmin.html

软件描述

Apache Zookeeper是一个分布式应用程序协调服务,提供了简单易用的接口和性能高效、功能稳定的系统让用户可以很轻松解决分布式应用程序下面的出现的协调服务,确保避免出现竞态条件或者死锁等错误。

CVE编号

CVE-2018-8012

USRC分析

暂无

业界资讯

暂无