CVE-2017-5637

Name of the Vulnerable Software and Affected Versions Apache ZooKeeper versions prior to 3.4.10 Apache ZooKeeper versions prior to 3.5.3

Description The issue is related to the lack of authentication for a critical function in the implementation of the wchp/wchc command in Apache ZooKeeper, which provides configuration information, naming, distributed synchronization, and group services. This can be exploited by a remote attacker to cause a denial of service. The wchp/wchc commands are CPU intensive and can cause a spike in CPU utilization on the Apache ZooKeeper server if abused, leading to the server being unable to serve legitimate client requests.

Recommendations For Apache ZooKeeper versions prior to 3.4.10, update to version 3.4.10 or later. For Apache ZooKeeper versions prior to 3.5.3, update to version 3.5.3 or later. As a temporary workaround, consider restricting access to the wchp and wchc commands to minimize the risk of exploitation.