CVE-2023-44981: Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication

Published Oct 11, 2023
·
Updated

Apache ZooKeeper could allow a remote attacker to bypass security restrictions, caused by a flaw when SASL Quorum Peer authentication is enabled. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization and allow arbitrary endpoints to join the cluster and begin propagating counterfeit changes.

Other sources

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.

Ubuntu

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.

Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.

Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.

See the documentation for more details on correct cluster administration.

https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b http://www.openwall.com/lists/oss-security/2023/10/11/4

Red Hat

Affected Software

21 affected componentsFixes available
Apache Zookeeper<3.7.2
Apache Zookeeper>=3.8.0<3.8.3
Apache Zookeeper=3.9.0
ubuntu/zookeeper<3.4.13-3ubuntu0.1~
3.4.13-3ubuntu0.1~
ubuntu/zookeeper<3.4.13-5ubuntu0.1
3.4.13-5ubuntu0.1
ubuntu/zookeeper<3.4.13-6ubuntu4.1
3.4.13-6ubuntu4.1
ubuntu/zookeeper<3.8.0-10ubuntu0.1
3.8.0-10ubuntu0.1
ubuntu/zookeeper<3.7.2, <3.8.3, <3.9.1
3.7.23.8.33.9.1
ubuntu/zookeeper<3.8.0-11ubuntu0.1
3.8.0-11ubuntu0.1
debian/zookeeper<=3.4.13-2
3.4.13-2+deb10u13.4.13-6+deb11u13.8.0-11+deb12u13.9.1-1
maven/org.apache.zookeeper:zookeeper>=3.9.0<3.9.1
3.9.1
maven/org.apache.zookeeper:zookeeper>=3.8.0<3.8.3
3.8.3
maven/org.apache.zookeeper:zookeeper<3.7.2
3.7.2
IBM Cognos Analytics<=12.0-12.0.2
IBM Cognos Analytics<=11.2.0-11.2.4 FP2
redhat/zookeeper<3.9.1
3.9.1
redhat/zookeeper<3.8.3
3.8.3
redhat/zookeeper<3.7.2
3.7.2
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Debian Debian Linux=12.0

Event History

Oct 11, 2023
CVE Published
via Ubuntu·12:00 AM
CVE Published
via MITRE·11:55 AM
Data Sourced
via MITRE·11:55 AM
DescriptionWeakness
Advisory Published
via GitHub·12:30 PM
Data Sourced
via Red Hat·11:51 PM
DescriptionSeverityAffected Software
Jan 17, 2024
Data Sourced
via Launchpad·04:12 PM
Description

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2023-44981?

CVE-2023-44981 is a vulnerability in Apache ZooKeeper that allows authorization bypass through user-controlled key.

2

What is the severity of CVE-2023-44981?

The severity of CVE-2023-44981 is critical with a CVSS score of 9.1.

3

How does CVE-2023-44981 affect Apache ZooKeeper?

CVE-2023-44981 affects Apache ZooKeeper by enabling an authorization bypass in SASL Quorum Peer Authentication.

4

Which versions of Apache ZooKeeper are affected by CVE-2023-44981?

CVE-2023-44981 affects Apache ZooKeeper versions 3.9.0 to 3.9.1, 3.8.0 to 3.8.3, and 3.7.2.

5

How can I fix CVE-2023-44981?

To fix CVE-2023-44981, update Apache ZooKeeper to version 3.9.1, 3.8.3, or 3.7.2.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203