Description

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Remediation

References

https://issues.apache.org/jira/browse/ZOOKEEPER-2693

http://www.securityfocus.com/bid/98814

http://www.debian.org/security/2017/dsa-3871

https://access.redhat.com/errata/RHSA-2017:3355

https://access.redhat.com/errata/RHSA-2017:3354

https://access.redhat.com/errata/RHSA-2017:2477

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E

Related Vulnerabilities

CVE-2021-46089 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base-core

CVE-2020-2170 Vulnerability in maven package org.jenkins-ci.plugins:rapiddeploy-jenkins

CVE-2022-45390 Vulnerability in maven package io.loader:loaderio-jenkins-plugin

CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core_2.13

CVE-2017-2600 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CWE-400 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Mitigation Vendor Advisory VDB Entry Third Party Advisory