CVE-2018-8012
Published: 21 May 2018
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
From the Ubuntu Security Team
It was discovered that Apache Zookeeper incorrectly handled clusters. An attacker could possibly use this issue to obtain sensitive information.
Notes
Author | Note |
---|---|
msalvatore | Debian notes that for wheezy (3.4.5) the "changes are too intrusive to backport" |
Priority
Status
Package | Release | Status |
---|---|---|
zookeeper Launchpad, Ubuntu, Debian |
disco |
Not vulnerable
|
eoan |
Not vulnerable
|
|
focal |
Not vulnerable
|
|
impish |
Not vulnerable
|
|
hirsute |
Not vulnerable
|
|
jammy |
Not vulnerable
|
|
kinetic |
Not vulnerable
|
|
xenial |
Released
(3.4.8-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
lunar |
Not vulnerable
|
|
artful |
Not vulnerable
(3.4.10-2)
|
|
bionic |
Not vulnerable
|
|
cosmic |
Not vulnerable
|
|
groovy |
Not vulnerable
|
|
upstream |
Released
(3.4.10-2)
|
|
mantic |
Not vulnerable
|
|
trusty |
Ignored
(backporting risks regressions)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012
- https://issues.apache.org/jira/browse/ZOOKEEPER-1045
- http://www.openwall.com/lists/oss-security/2018/05/21/6
- https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
- https://issues.apache.org/jira/secure/attachment/12840904/ZOOKEEPER-1045-br-3-4.patch
- https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E
- https://ubuntu.com/security/notices/USN-4789-1
- NVD
- Launchpad
- Debian