Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS03Y3dqLWozMzMteDdmN83vMQ

Uncontrolled Resource Consumption in Apache ZooKeeper

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Permalink: https://github.com/advisories/GHSA-7cwj-j333-x7f7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Y3dqLWozMzMteDdmN83vMQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago

CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Percentage: 0.06498
EPSS Percentile: 0.93657

Identifiers: GHSA-7cwj-j333-x7f7, CVE-2017-5637
References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-5637
• https://access.redhat.com/errata/RHSA-2017:2477
• https://access.redhat.com/errata/RHSA-2017:3354
• https://access.redhat.com/errata/RHSA-2017:3355
• https://issues.apache.org/jira/browse/ZOOKEEPER-2693
• https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
• https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
• https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• http://www.debian.org/security/2017/dsa-3871
• http://www.securityfocus.com/bid/98814
• https://github.com/advisories/GHSA-7cwj-j333-x7f7

Blast Radius: 34.0

Affected Packages