621034 – (CVE-2017-5637) <sys-cluster/zookeeper-bin-3.4.10: DOS attack on wchp/wchc four letter words (CVE-2017-5637)

Bug 621034 (CVE-2017-5637) - <sys-cluster/zookeeper-bin-3.4.10: DOS attack on wchp/wchc four letter words (CVE-2017-5637)

Summary: <sys-cluster/zookeeper-bin-3.4.10: DOS attack on wchp/wchc four letter words ...

Status:	RESOLVED FIXED

Alias:	CVE-2017-5637

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://issues.apache.org/jira/browse...
Whiteboard:	~3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-06-06 14:36 UTC by Volkan
Modified:	2017-07-16 01:44 UTC (History)
CC List:	2 users (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=1454808
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkan 2017-06-06 14:36:57 UTC

Vulnerable versions {3.4.0, 3.5.1, 3.5.2} are not in tree.
Upstream states vulnerability is fixed in versions 3.4.10(in tree), 3.5.3, 3.6.0

Incorrect input validation with wchp/wchc four letter words.

Two four letter word commands “wchp/wchc” are CPU intensive and could cause spike of CPU utilization on ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests.

Upstream issue:

https://issues.apache.org/jira/browse/ZOOKEEPER-2693

References:

https://vulners.com/exploitdb/EDB-ID:41277

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-06 14:56:24 UTC

Package was never stabilized; Fixed version already in repository.


@ Maintainer(s): Please cleanup and drop =sys-cluster/zookeeper-bin-3.4.9!

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2017-07-16 01:44:41 UTC

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39cc1bec1e22b7d0dd0db539cf2193ca26c280e9