Vulnerabilities > CVE-2018-8012 - Missing Authorization vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id APACHE_ZOOKEEPER_3_4_10.NASL description The instance of Apache Zookeeper listening on the remote host is either running a version that does not support quorum authentication or has not been configured to use quorum authentication. This may allow a remote attacker to join a cluster quorum and begin propagating counterfeit changes to the leader. last seen 2020-06-01 modified 2020-06-02 plugin id 110266 published 2018-05-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110266 title Apache Zookeeper x < 3.4.10 / 3.5.x < 3.5.4 Missing Authentication Remote Quorum Joining Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(110266); script_version("1.9"); script_cvs_date("Date: 2019/11/04"); script_cve_id("CVE-2018-8012"); script_bugtraq_id(104253); script_name(english:"Apache Zookeeper x < 3.4.10 / 3.5.x < 3.5.4 Missing Authentication Remote Quorum Joining Vulnerability"); script_summary(english:"Checks zookeeper version"); script_set_attribute(attribute:"synopsis", value: "The remote Apache Zookeeper server is prone to a quorum joining attack."); script_set_attribute(attribute:"description", value: "The instance of Apache Zookeeper listening on the remote host is either running a version that does not support quorum authentication or has not been configured to use quorum authentication. This may allow a remote attacker to join a cluster quorum and begin propagating counterfeit changes to the leader."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2018/q2/132"); script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/ZOOKEEPER-1045"); script_set_attribute(attribute:"solution", value: "Update to Apache Zookeeper 3.4.10 or 3.5.4 or later and enable Quorum Peer mutual authentication."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8012"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/21"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/31"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:zookeeper"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("apache_zookeeper_detect.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/zookeeper", 2181); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app_name = "Apache Zookeeper"; port = get_service(svc:"zookeeper", default:2181, exit_on_fail:TRUE); if (get_install_count(app_name:app_name) > 0) { install = get_single_install(app_name:app_name, port:port, exit_if_unknown_ver:TRUE); version = install.version; } else version = get_kb_item_or_exit("zookeeper/" + port + "/version"); if (version =~ "^3\.5\.") fix = "3.5.4"; else fix = "3.4.10"; if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; } else if (install.config) { conf_arr = {}; foreach line (split(install.config, sep:'\n', keep:FALSE)) { match = pregmatch(pattern:"^([^#]+?)=([^\s]*)", string:line); if (match && match[1] && match[2]) conf_arr[tolower(match[1])] = tolower(match[2]); } if (conf_arr['quorum.auth.enablesasl'] != 'true' || conf_arr['quorum.auth.learnerrequiresasl'] != 'true' || conf_arr['quorum.auth.serverrequiresasl'] != 'true') { report = '\n The Apache Zookeeper installation detected on port '+ port + ' has not' + '\n been configured for quorum authentication. Please ensure the' + '\n following lines are present in the configuration:' + '\n quorum.auth.enableSasl=true' + '\n quorum.auth.learnerRequireSasl=true' + '\n quorum.auth.serverRequireSasl=true' + '\n'; } } if(report) security_report_v4(port:port, severity:SECURITY_WARNING, extra:report); else audit(AUDIT_LISTEN_NOT_VULN, "Apache Zookeeper", port, version);NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4214.NASL description It was discovered that Zookeeper, a service for maintaining configuration information, enforced no authentication/authorisation when a server attempts to join a Zookeeper quorum. This update backports authentication support. Additional configuration steps are needed, please see https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mu tual+authenticationfor additional information. last seen 2020-06-01 modified 2020-06-02 plugin id 110315 published 2018-06-05 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110315 title Debian DSA-4214-1 : zookeeper - security update
References
- http://www.securitytracker.com/id/1040948
- http://www.securityfocus.com/bid/104253
- https://www.debian.org/security/2018/dsa-4214
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14%40%3Cdev.jackrabbit.apache.org%3E
- https://lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870%40%3Cdev.jackrabbit.apache.org%3E
- https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f%40%3Coak-commits.jackrabbit.apache.org%3E
- https://lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2%40%3Cdev.jackrabbit.apache.org%3E