Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.

The versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2024 CPU advisory.

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform     (Google Guava)). Supported versions that are affected are 19.12.0-19.12.16, 20.12.0-20.12.16,     21.12.0-21.12.17 and 22.12.0-22.12.11. Easily exploitable vulnerability allows low privileged attacker     with logon to the infrastructure where Primavera Unifier executes to compromise Primavera Unifier.
    Successful attacks of this vulnerability can result in unauthorized access to critical data or complete     access to all Primavera Unifier accessible data as well as unauthorized update, insert or delete access to     some of Primavera Unifier accessible data. (CVE-2023-2976)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform     (Apache Commons Compress)). Supported versions that are affected are 19.12.0-19.12.16, 20.12.0-20.12.16,     21.12.0-21.12.17 and 22.12.0-22.12.11. Easily exploitable vulnerability allows unauthenticated attacker     with logon to the infrastructure where Primavera Unifier executes to compromise Primavera Unifier.
    Successful attacks require human interaction from a person other than the attacker. Successful attacks of     this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS)     of Primavera Unifier. (CVE-2023-42503)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Document     Manager (Apache ZooKeeper)). Supported versions that are affected are 19.12.0-19.12.16, 20.12.0-20.12.16,     21.12.0-21.12.17 and 22.12.0-22.12.11. Easily exploitable vulnerability allows unauthenticated attacker     with network access via HTTP to compromise Primavera Unifier. Successful attacks of this vulnerability can     result in unauthorized read access to a subset of Primavera Unifier accessible data. (CVE-2023-44981)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6559-1 advisory.

    It was discovered that ZooKeeper incorrectly handled authorization for the getACL() command. A remote     attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu     14.04 LTS and Ubuntu 16.04 LTS. (CVE-2019-0201)

    Damien Diederen discovered that ZooKeeper incorrectly handled authorization if SASL Quorum Peer     authentication is enabled. An attacker could possibly use this issue to bypass ZooKeeper's authorization     system. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.04 and     Ubuntu 23.10. (CVE-2023-44981)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2bc376c0-977e-11ee-b4bc-b42e991fc52e advisory.

  - Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer     authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by     verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance     part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will     be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit     changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer     authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2,     which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a     firewall as this will mitigate the issue. See the documentation for more details on correct cluster     administration. (CVE-2023-44981)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5544 advisory.

  - Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer     authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by     verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance     part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will     be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit     changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer     authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2,     which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a     firewall as this will mitigate the issue. See the documentation for more details on correct cluster     administration. (CVE-2023-44981)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3624 advisory.

  - Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer     authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by     verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance     part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will     be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit     changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer     authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2,     which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a     firewall as this will mitigate the issue. See the documentation for more details on correct cluster     administration. (CVE-2023-44981)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache ZooKeeper listening on the remote host is prior to 3.7.2, 3.8.x prior to 3.8.3 or 3.9.x prior to 3.9.1. It is, therefore, affected by the following:

  - Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer     authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying     that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL     auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As     a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader,     essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled     by default. (CVE-2023-44981)     Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
189185	Oracle Primavera Unifier (January 2024 CPU)	Nessus	CGI abuses	critical
189088	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : ZooKeeper vulnerabilities (USN-6559-1)	Nessus	Ubuntu Local Security Checks	critical
186707	FreeBSD : apache -- Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication (2bc376c0-977e-11ee-b4bc-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	critical
184099	Debian DSA-5544-1 : zookeeper - security update	Nessus	Debian Local Security Checks	critical
183523	Debian DLA-3624-1 : zookeeper - LTS security update	Nessus	Debian Local Security Checks	critical
183520	Apache ZooKeeper 3.7.x < 3.7.2, 3.8.x < 3.8.3, 3.9.x < 3.9.1 Authorization Bypass	Nessus	Misc.	critical

Detections

Analytics

CVE-2023-44981

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical