Detections
Analytics

Apache ZooKeeper 3.4.0 < 3.4.10 / 3.5.x < 3.5.3 Multiple Vulnerabilities

high Nessus Plugin ID 125634

Language:

Synopsis

The remote Apache ZooKeeper server is affected by multiple vulnerabilities.

Description

The version of Apache ZooKeeper listening on the remote host is prior to 3.4.10 or 3.5.x prior to 3.5.3. It is, therefore, affected by multiple vulnerabilities:

 - A buffer overflow vulnerability in the C cli shell. Using the 'cmd:' batch mode syntax allows attackers to have an unspecified impact via a long command string. (CVE-2016-5017)

 - A denial of service (DoS) vulnerability exists in due to two four letter word commands which cause CPU spikes on ZooKeeper server. An unauthenticated, remote attacker can exploit this issue to cause the application to stop responding. (CVE-2017-5637)

Solution

Update to Apache ZooKeeper 3.4.10 or 3.5.3 or later.

See Also

https://zookeeper.apache.org/security.html

Plugin Details

Severity: High

ID: 125634

File Name: apache_zookeeper_3_5_3.nasl

Version: 1.4

Type: combined

Family: Misc.

Published: 5/31/2019

Updated: 10/20/2023

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-5017

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:zookeeper

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/21/2016

Vulnerability Publication Date: 9/21/2016

Reference Information

CVE: CVE-2016-5017, CVE-2017-5637

BID: 93044, 98814

IAVB: 2019-B-0041-S