CVE-2019-0201

Name of the Vulnerable Software and Affected Versions Apache ZooKeeper versions 1.0.0 through 3.4.13 Apache ZooKeeper versions 3.5.0-alpha through 3.5.4-beta

Description The issue is related to ZooKeeper’s getACL() command, which does not check any permission when retrieving the ACLs of the requested node and returns all information contained in the ACL Id field as a plaintext string. The DigestAuthenticationProvider overloads the Id field with the hash value used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by a getACL() request for unauthenticated or unprivileged users.

Recommendations For Apache ZooKeeper versions 1.0.0 through 3.4.13, consider disabling the DigestAuthenticationProvider to prevent the disclosure of unsalted hash values until a patch is available. For Apache ZooKeeper versions 3.5.0-alpha through 3.5.4-beta, consider restricting access to the getACL() command to prevent unauthenticated or unprivileged users from retrieving sensitive information until a patch is available. As a temporary workaround, consider disabling the getACL() command until a patch is available.