Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 21 May 2018 09:51:42 -0700
From: Patrick Hunt <>
To:, DevZooKeeper <>, 
	UserZooKeeper <>,,
Subject: [CVE-2018-8012] Apache ZooKeeper Quorum Peer mutual authentication

CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication

Severity: Critical

The Apache Software Foundation

Versions Affected:
ZooKeeper prior to 3.4.10
ZooKeeper 3.5.0-alpha through 3.5.3-beta
The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected

No authentication/authorization is enforced when a server attempts to join
a quorum. As a result an arbitrary end point could join the cluster and
begin propagating counterfeit changes to the leader.

Upgrade to 3.4.10 or later (3.5.4-beta or later if on the 3.5 branch) and
enable Quorum Peer mutual authentication.

Alternately ensure the ensemble election/quorum communication is protected
by a firewall as this will mitigate the issue.

See the documentation for more details on correct cluster administration.

This issue was identified by Földi Tamás and Eugene Koontz


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ