Main Vulnerability Database SB2023112077

SB2023112077 - Debian update for zookeeper

Published: November 20, 2023

Security Bulletin ID SB2023112077

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2023-44981)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to improper implementation of SASL Quorum Peer authentication. The instance part in SASL authentication ID, which is listed in zoo.cfg server list, is optional and if it's missing, the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree.

Remediation

Install update from vendor's website.

References

https://www.debian.org/security/2023/dsa-5544