A critical vulnerability has been discovered in Apache ZooKeeper that allows unauthorized users to bypass authentication and control ZooKeeper nodes, potentially accessing and manipulating sensitive data. This blog post examines this vulnerability, CVE-2023-44981, and provides guidance on how to mitigate it.

Description of the Vulnerability

Apache ZooKeeper is an open-source, distributed coordination service for large-scale distributed applications. One of its essential features is the ability to authenticate and authorize nodes, ensuring that only permitted nodes communicate with each other.

However, it has been discovered that if SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization process can be bypassed. The bypass happens due to a fault in the process of verifying that the instance part in the SASL authentication ID is listed in the zoo.cfg server list.

The instance part in the SASL auth ID is optional, and if it is missing, like 'eve@EXAMPLE.COM,' the authorization check will be skipped. Consequently, an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, effectively giving it complete read-write access to the data tree.

Code Snippet - Example of Vulnerable SASL auth ID configuration

# zoo.cfg example configuration with vulnerable SASL auth ID
server.1=zk1.example.com:2888:3888
server.2=zk2.example.com:2888:3888
server.3=zk3.example.com:2888:3888

# Authentication configuration
quorum.auth.enableSasl=true
quorum.auth.kerberos.servicePrincipal=eve@EXAMPLE.COM

Affected Versions and Solutions

Quorum Peer authentication is not enabled by default, thus not all Apache ZooKeeper installations will be affected. However, those using it are at risk. The Apache ZooKeeper team has already released fixes for this vulnerability. The fixed versions are 3.9.1, 3.8.3, and 3.7.2. Users are recommended to upgrade their installations to these versions.

- Apache ZooKeeper 3.9.1
- Apache ZooKeeper 3.8.3
- Apache ZooKeeper 3.7.2

For those unable to upgrade immediately, an alternative mitigation is to ensure the ensemble election/quorum communication is protected by a firewall. This will help prevent unauthorized endpoints from joining the cluster.

Please refer to the official Apache ZooKeeper documentation for more details on correctly administering your cluster.

Conclusion

CVE-2023-44981 is a serious security flaw in Apache ZooKeeper that could expose sensitive data and enable malicious control of your data tree. It is crucial to either upgrade to a fixed version of ZooKeeper or put mitigation measures in place to protect your ensemble election/quorum communication. Stay vigilant and informed to ensure the security of your distributed applications.

Timeline

Published on: 10/11/2023 12:15:11 UTC
Last modified on: 11/01/2023 07:15:09 UTC