CVE-2018-8012

Name of the Vulnerable Software and Affected Versions Apache ZooKeeper versions 3.5.0-alpha through 3.5.3-beta Apache ZooKeeper versions prior to 3.4.10

Description The issue arises from the lack of authentication when a server attempts to join a quorum in Apache ZooKeeper. This allows an arbitrary endpoint to join the cluster and propagate counterfeit changes to the leader. An attacker could exploit this to write arbitrary files to the operating system of a vulnerable device.

Recommendations For Apache ZooKeeper versions prior to 3.4.10, update to version 3.4.10 or later. For Apache ZooKeeper versions 3.5.0-alpha through 3.5.3-beta, update to a version later than 3.5.3-beta. As a temporary workaround, consider restricting access to the quorum to minimize the risk of exploitation.