Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN639
_____________________________________________________________________

DATE                : 24/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache ZooKeeper versions prior
                                     to 3.9.4.

=====================================================================
https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx
_____________________________________________________________________


CVE-2025-58457: Apache ZooKeeper: Insufficient Permission Check in
AdminServer Snapshot/Restore Commands

Severity: moderate 

Affected versions:

- Apache ZooKeeper (org.apache.zookeeper:zookeeper) 3.9.0 before
3.9.4


Description:

Improper permission check in ZooKeeper AdminServer lets authorized
clients to run snapshot and restore command with insufficient
permissions.

This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4.

Users are recommended to upgrade to version 3.9.4, which fixes the
issue.

The issue can be mitigated by disabling both commands
(via admin.snapshot.enabled and admin.restore.enabled), disabling
the whole AdminServer interface (via admin.enableServer), or
ensuring that the root ACL does not provide open permissions. (Note
that ZooKeeper ACLs are not recursive, so this does not impact
operations on child nodes besides notifications from recursive
watches.)


Credit:

Damien Diederen <dd...@apache.org> (reporter)


References:

https://zookeeper.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-58457


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================