Fluid Attacks Database

Description

Uncontrolled Resource Consumption in Apache ZooKeeper Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	zookeeper	>=0 <3.4.9-3	3.4.9-3
maven	org.apache.zookeeper:zookeeper	>=3.4.0 <3.4.10 \|\| >=3.5.0 <3.5.3	3.4.10, 3.5.3
debian 11	zookeeper	>=0 <3.4.9-3	3.4.9-3
debian 12	zookeeper	>=0 <3.4.9-3	3.4.9-3
debian 13	zookeeper	>=0 <3.4.9-3	3.4.9-3

Aliases

1. CVE-2017-56372. NVD-2017-56373. OSV-DEBIAN-2017-56374. OSV-2017-56375. GCVE-2017-56376. SECURITY-TRACKER-CVE-2017-56377. access.redhat.com8. access.redhat.com9. access.redhat.com

References

1. https://issues.apache.org/jira/browse/ZOOKEEPER-26932. https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E3. https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E4. https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E5. https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E6. https://www.oracle.com//security-alerts/cpujul2021.html7. https://www.oracle.com/security-alerts/cpujul2020.html8. http://www.debian.org/security/2017/dsa-38719. http://www.securityfocus.com/bid/98814