Apache ZooKeeper 3.5.3 Remote Code Execution Vulnerability

Summary

Apache ZooKeeper is prone to a remote code-execution vulnerability.This allows a remote attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition. 

Credit:

The information has been provided by Harrison Neal
The original article can be found at: https://zookeeper.apache.org/security.html#CVE-2019-0201


Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Vulnerable Systems:

  • Apache ZooKeeper 3.5.3
  • Apache ZooKeeper 3.5.2
  • Apache ZooKeeper 3.5.1
  • Apache ZooKeeper 3.4.13
  • Apache ZooKeeper 3.4.12
  • Apache ZooKeeper 3.4.11
  • Apache ZooKeeper 3.4.10
  • Apache ZooKeeper 3.4.9
  • Apache ZooKeeper 3.4.8
  • Apache ZooKeeper 3.4.7
  • Apache ZooKeeper 3.4.6
  • Apache ZooKeeper 3.4.5
  • Apache ZooKeeper 3.4.4
  • Apache ZooKeeper 3.4.3
  • Apache ZooKeeper 3.4.2
  • Apache ZooKeeper 3.4.1
  • Apache ZooKeeper 3.4
  • Apache ZooKeeper 3.5.4-beta
  • Apache ZooKeeper 3.5.3-beta
  • Apache ZooKeeper 3.5.2-alpha
  • Apache ZooKeeper 3.5.1-alpha
  • Apache ZooKeeper 3.5.0-alpha

CVE Information:

CVE-2019-0201

Disclosure Timeline:
Publish Date:05/23/2019

Categories: News