On October 11, 2023, the Apache ZooKeeper™ project announced that a security vulnerability has been identified in Apache ZooKeeper, CVE-2023-44981. The Apache ZooKeeper project has classified the severity of this CVE as critical. The CVSS (Common Vulnerability Scoring System) 3.x severity rating for this vulnerability by the NVD (National Vulnerability Database) is base score 9.1 Critical.
When considered in the context of the standard security controls implemented by Instaclustr’s Managed Platform, we have assessed the residual risk as Low.
This vulnerability applies to Apache ZooKeeper version 3.9.0, version 3.8.0 through 3.8.2, version 3.7.0 through 3.7.1, and Apache ZooKeeper before 3.7.0.
When SASL Quorum Peer authentication is set to True (quorum.auth.enableSasl= true), the authorization check is done by verifying that the FQDN (Fully Qualified Domain Name) in the SASL authentication ID of the incoming request is listed in the known servers list in zoo.cfg of the Quorum server. However, this part is optional in SASL authentication ID, and when it is not specified the authorization check is skipped. This could lead to unauthorized access to the data tree and result in any arbitrary endpoint joining the cluster and making changes to the leader. By default, Quorum Peer Authentication is not enabled.
Instaclustr performed an investigation into this vulnerability and its potential impact on customers of our Managed Kafka and Managed ZooKeeper services, and assessed its severity rating in the Instaclustr environment as Low. The finding is itemized below:
- Quorum Peer authentication is not enabled by default, and Instaclustr has not explicitly enabled this. Therefore, our Managed Kafka clusters (with Colocated ZooKeeper or Dedicated ZooKeeper) and Managed ZooKeeper clusters are not affected.
Based on the impact detailed above, Instaclustr recommends the following actions for our customers:
- Managed Service Customers:
(Customers using colocated, dedicated, or managed ZooKeeper)
Based on the investigation, we believe that our managed service customers do not need to take any immediate action to mitigate this vulnerability. This CVE does not impact our Managed Kafka or Managed ZooKeeper clusters because the Quorum Peer authentication is not enabled by default and not explicitly enabled by Instaclustr.
- Support Only Customers:
For support only customers, first we recommend checking if Quorum Peer authentication is enabled. This can be done by going to the version of ZooKeeper that is being used and checking zoo.cfg file. Then look for “quorum.auth.enableSasl=” field. If this is not present, no further action is required. If it is true, we recommend the following actions:
- Ensure the ensemble election/Quorum communication is protected by a firewall. This mitigates the risk. Reach out to Instaclustr Support team for help.
- Upgrade to version 3.9.1, 3.8.3, or 3.7.2 which are all versions of ZooKeeper containing a fix for this issue.
Contact Instaclustr Support with any further questions regarding this vulnerability and its relation to Instaclustr for Apache ZooKeeper.