Researchers have discovered a critical security flaw as CVE-2023-44981, that could allow an arbitrary endpoint to join the cluster and gain full read-write access to the data tree.
Inspired by Google’s Chubby lock service, Zookeeper offers a distributed configuration service, synchronization service, and naming registry. It’s like the nerve center for many distributed systems, maintaining a shared state and ensuring efficient coordination.
One of the key aspects of ZooKeeper is its hierarchical key-value store, which distributed applications leverage to sync their operations. To ensure reliability, ZooKeeper logs its status in local log files on its servers. These servers then communicate the information to client machines, making sure every part of the system stays in the loop.
The vulnerability pops up if a particular authentication (SASL Quorum Peer authentication) is enabled in ZooKeeper, there’s a way to bypass its authorization checks. By missing a specific instance part in the SASL authentication ID, like ‘eve@EXAMPLE.COM’, ZooKeeper would skip the authorization altogether.
Any arbitrary endpoint could waltz in, join the cluster, and start introducing false changes. In essence, this gives the infiltrator unbridled access to read and alter the data tree. It’s a significant threat, especially given the foundational role ZooKeeper plays in many systems.
If you’re running any of the following versions of ZooKeeper, you might be at risk:
- Apache ZooKeeper 3.9.0
- Apache ZooKeeper 3.8.0 to 3.8.2
- Apache ZooKeeper 3.7.0 to 3.7.1
- Apache ZooKeeper versions before 3.7.0
Users are urged to upgrade to the following patched versions, which address the vulnerability:
- Apache ZooKeeper 3.9.1
- Apache ZooKeeper 3.8.3
- Apache ZooKeeper 3.7.2
For those who can’t upgrade immediately, there’s an alternate defense. Ensure that your ensemble election/quorum communication is fortified with a firewall. This will act as a protective barrier, mitigating the vulnerability’s impact.