No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://openwall.com/lists/oss-security/2018/05/21/6 cve-icon
http://www.securityfocus.com/bid/104253 cve-icon cve-icon
http://www.securitytracker.com/id/1040948 cve-icon cve-icon
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication cve-icon
https://issues.apache.org/jira/browse/ZOOKEEPER-1045 cve-icon
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393%40%3Cdev.zookeeper.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f%40%3Coak-commits.jackrabbit.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14%40%3Cdev.jackrabbit.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870%40%3Cdev.jackrabbit.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2%40%3Cdev.jackrabbit.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2018-8012 cve-icon
https://www.cve.org/CVERecord?id=CVE-2018-8012 cve-icon
https://www.debian.org/security/2018/dsa-4214 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2020.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-09-17T00:01:04.102Z

Reserved: 2018-03-09T00:00:00

Link: CVE-2018-8012

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-05-21T19:29:00.250

Modified: 2024-11-21T04:13:05.407

Link: CVE-2018-8012

cve-icon Redhat

Severity : Important

Publid Date: 2018-05-22T00:00:00Z

Links: CVE-2018-8012 - Bugzilla

cve-icon OpenCVE Enrichment

No data.