Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta.
- The Apache JIRA (ZOOKEEPER-1045) is fixed @ Zookeeper 3.4.10.
- Currently, the Fix for ZOOKEEPER-1045 (Zookeeper 3.4.10) isn't planned for any HDP release as the vulnerability is less of a vulnerability and more of a lack of a feature
- Zookeeper version 3.4.6 is present from HDP 2.3.0 to HDP 2.6.x
- The workaround for this is to implement firewall rules to disallow connections from ports other than 2181.
- Customer may try to move the ZooKeeper Election and Follower ports into the privileged port range, but this would require additional logic to start ZK as root and then drop privileges which does not exist as of now.
- As such, the feasible workaround for this CVE is to configure firewall to allow communication [for Leader Election] within cluster. A possible way is:
(01) Keep the ACL of port 2181 unchanged (Any Server is allowed to access),
(02) Forbid all access to both port 2888 and 3888 as defined in the zookeeper config file zoo.cfg except for zookeeper servers (To ensure they can communicate with each other).
o Will this issue be addressed in the future versions?
As the issue has been addressed with the workaround, We have no immediate plans to backport any major features into ZooKeeper and Product Management team working on getting this added on roadmap.
This vulnerability had been reported earlier and the Jira for same had also been raised to keep a track of it. So far, the only solution for this CVE is to configure firewall to allow communication [for leader election] within cluster.