{ "threat_severity" : "Important", "public_date" : "2023-10-11T00:00:00Z", "bugzilla" : { "description" : "zookeeper: Authorization Bypass in Apache ZooKeeper", "id" : "2243436", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2243436" }, "cvss3" : { "cvss3_base_score" : "9.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-639", "details" : [ "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.\nUsers are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.\nAlternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.\nSee the documentation for more details on correct cluster administration.", "A flaw was found in Apache ZooKeeper. Authorization bypass through user-controlled key is available iff SASL Quorum Peer authentication is enabled in ZooKeeper via quorum.auth.enableSasl=true configuration. A malicious user could bypass the authentication controller by using a non-existing instance part in SASL authentication ID (which is optional), therefore, the server would skip this check and as a result, join the cluster and propagate information with complete read and write access." ], "statement" : "Red Hat AMQ 7 Broker and Red Hat AMQ Streams 2 use Zookeeper but do not use or enable the vulnerable functionality, Peer Authentication. They are affected at Moderate Impact by this flaw.\nRed Hat Fuse 7 uses Zookeeper but does not use any of its server capabilities and as such is not vulnerable, and so is affected at Low Impact by this flaw.\nRed Hat Process Automation Manager 7 and Red Hat Decision Manager 7 do not ship zookeeper, and so are not affected by this flaw.\nRed Hat Fuse 6 and AMQ 6 use Zookeeper but are not vulnerable to this flaw, and have been assessed as Important Impact and are as such out of security support scope for this flaw.\nRed Hat Business Process Manager Suite 6, Red Hat Business Rules Management Suite 6, Red Hat JBoss Data Virtualization 6, Red Hat OpenShift Application Runtime Vert-x, and Red Hat Fuse Service Works 6 are out of security support scope for this flaw.\nAs no Red Hat products are affected at Critical Impact by this flaw, its overall impact has been reduced to Important.", "affected_release" : [ { "product_name" : "AMQ Broker 7.10.6", "release_date" : "2024-02-20T00:00:00Z", "advisory" : "RHSA-2024:0903", "cpe" : "cpe:/a:redhat:amq_broker:7.10" }, { "product_name" : "Red Hat AMQ Broker 7", "release_date" : "2024-05-21T00:00:00Z", "advisory" : "RHSA-2024:2945", "cpe" : "cpe:/a:redhat:amq_broker:7.12" }, { "product_name" : "Red Hat AMQ Broker 7.11.6", "release_date" : "2024-02-06T00:00:00Z", "advisory" : "RHSA-2024:0705", "cpe" : "cpe:/a:redhat:amq_broker:7.11", "package" : "zookeeper", "impact" : "moderate" }, { "product_name" : "Red Hat AMQ Streams 2.6.0", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7678", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "zookeeper", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "impact" : "low" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Out of support scope", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_amq:6", "impact" : "important" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_fuse:6", "impact" : "important" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Out of support scope", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "zookeeper", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-44981\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-44981\nhttps://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b" ], "name" : "CVE-2023-44981", "mitigation" : { "value" : "According to Apache's document: Ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.", "lang" : "en:us" }, "csaw" : false }