cnvd - cnvd-2024-49158

cnvd-2024-49158

Vulnerability from cnvd

Title: Apache ZooKeeper身份验证绕过漏洞

Description:

Apache ZooKeeper是Apache软件基金会下一项集中式服务，用于维护配置信息、命名、提供分布式同步以及提供组服务。

Apache ZooKeeper在3.9.3以前的版本中存在身份验证绕过漏洞。该漏洞是由于受影响版本ZooKeeper Admin Server中使用的IPAuthenticationProvider配置不当导致，攻击者可利用该漏洞执行管理服务器命令，从而导致信息泄露或服务可用性问题。

Severity: 高

Patch Name: Apache ZooKeeper身份验证绕过漏洞的补丁

Patch Description:

Apache ZooKeeper是Apache软件基金会下一项集中式服务，用于维护配置信息、命名、提供分布式同步以及提供组服务。

Apache ZooKeeper在3.9.3以前的版本中存在身份验证绕过漏洞。该漏洞是由于受影响版本ZooKeeper Admin Server中使用的IPAuthenticationProvider配置不当导致，攻击者可利用该漏洞执行管理服务器命令，从而导致信息泄露或服务可用性问题。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新: https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-51504

Impacted products

Name
Apache Zookeeper <3.9.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-51504",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-51504"
    }
  },
  "description": "Apache ZooKeeper\u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u4e0b\u4e00\u9879\u96c6\u4e2d\u5f0f\u670d\u52a1\uff0c\u7528\u4e8e\u7ef4\u62a4\u914d\u7f6e\u4fe1\u606f\u3001\u547d\u540d\u3001\u63d0\u4f9b\u5206\u5e03\u5f0f\u540c\u6b65\u4ee5\u53ca\u63d0\u4f9b\u7ec4\u670d\u52a1\u3002\n\nApache ZooKeeper\u57283.9.3\u4ee5\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u53d7\u5f71\u54cd\u7248\u672cZooKeeper Admin Server\u4e2d\u4f7f\u7528\u7684IPAuthenticationProvider\u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u7ba1\u7406\u670d\u52a1\u5668\u547d\u4ee4\uff0c\u4ece\u800c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u6216\u670d\u52a1\u53ef\u7528\u6027\u95ee\u9898\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0:\r\nhttps://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-49158",
  "openTime": "2024-12-24",
  "patchDescription": "Apache ZooKeeper\u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u4e0b\u4e00\u9879\u96c6\u4e2d\u5f0f\u670d\u52a1\uff0c\u7528\u4e8e\u7ef4\u62a4\u914d\u7f6e\u4fe1\u606f\u3001\u547d\u540d\u3001\u63d0\u4f9b\u5206\u5e03\u5f0f\u540c\u6b65\u4ee5\u53ca\u63d0\u4f9b\u7ec4\u670d\u52a1\u3002\r\n\r\nApache ZooKeeper\u57283.9.3\u4ee5\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u53d7\u5f71\u54cd\u7248\u672cZooKeeper Admin Server\u4e2d\u4f7f\u7528\u7684IPAuthenticationProvider\u914d\u7f6e\u4e0d\u5f53\u5bfc\u81f4\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u7ba1\u7406\u670d\u52a1\u5668\u547d\u4ee4\uff0c\u4ece\u800c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u6216\u670d\u52a1\u53ef\u7528\u6027\u95ee\u9898\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache ZooKeeper\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Zookeeper \u003c3.9.3"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-51504",
  "serverity": "\u9ad8",
  "submitTime": "2024-11-08",
  "title": "Apache ZooKeeper\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2024-51504 (GCVE-0-2024-51504)

Vulnerability from cvelistv5

Published

2024-11-07 09:52

Modified

2024-11-07 16:33

Severity ?

CWE

CWE-290 - Authentication Bypass by Spoofing

Summary

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.

References

▼	URL	Tags
	https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache ZooKeeper	Version: 3.9.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-11-07T10:03:24.899Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/11/06/5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:zookeeper:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "zookeeper",
            "vendor": "apache",
            "versions": [
              {
                "lessThan": "3.9.3",
                "status": "affected",
                "version": "3.9.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-51504",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-07T16:31:39.548543Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-07T16:33:08.247Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.zookeeper:zookeeper",
          "product": "Apache ZooKeeper",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.9.3",
              "status": "affected",
              "version": "3.9.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "4ra1n"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Y4tacker"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client\u0027s IP address detection in\u0026nbsp;IPAuthenticationProvider, which uses HTTP request headers, is weak\u0026nbsp;and allows an attacker to bypass authentication via spoofing client\u0027s IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client\u0027s IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue."
            }
          ],
          "value": "When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client\u0027s IP address detection in\u00a0IPAuthenticationProvider, which uses HTTP request headers, is weak\u00a0and allows an attacker to bypass authentication via spoofing client\u0027s IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client\u0027s IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-07T09:52:03.957Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-51504",
    "datePublished": "2024-11-07T09:52:03.957Z",
    "dateReserved": "2024-10-28T21:45:25.587Z",
    "dateUpdated": "2024-11-07T16:33:08.247Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted