=====================================================================

                             CERT-Renater

                   Note d'Information No. 2023/VULN391

_____________________________________________________________________

DATE                : 11/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache ZooKeeper versions prior
                                to 3.9.1, 3.8.3, 3.7.2.

=====================================================================
https://lists.apache.org/thread/7o6cch0gm7hzz0zcj2zs16hnl1dxm6oy
_____________________________________________________________________

CVE-2023-44981: Apache ZooKeeper: Authorization bypass in SASL
Quorum Peer Authentication

Severity: critical

Affected versions:

- Apache ZooKeeper 3.9.0
- Apache ZooKeeper 3.8.0 through 3.8.2
- Apache ZooKeeper 3.7.0 through 3.7.1
- Apache ZooKeeper before 3.7.0

Description:

Authorization Bypass Through User-Controlled Key vulnerability in
Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in
ZooKeeper (quorum.auth.enableSasl=true), the authorization is done
by verifying that the instance part in SASL authentication ID is
listed in zoo.cfg server list. The instance part in SASL auth ID
is optional and if it's missing, like 'eve@EXAMPLE.COM', the
authorization check will be skipped. As a result an arbitrary
endpoint could join the cluster and begin propagating counterfeit
changes to the leader, essentially giving it complete read-write
access to the data tree. Quorum Peer authentication is not enabled
by default.

Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2,
which fixes the issue.

Alternately ensure the ensemble election/quorum communication is
protected by a firewall as this will mitigate the issue.

See the documentation for more details on correct cluster
administration.


Credit:

Damien Diederen <dd...@apache.org> (reporter)

References:

https://zookeeper.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-44981




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================