The implementation of the getACL() command in the centralized service for managing configuration information, naming, distributed synchronization, and providing group services in Apache ZooKeeper is vulnerable. This vulnerability allows attackers to exploit certain hash function values.

🗓️ 02 Jun 2020 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

The get access control function in ZooKeeper service has a permission flaw exploitable by hash values.

Reporter	Title	Published	Views	Family All 96
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product	20 May 202014:01	–	ibm
IBM Security Bulletins	Security Bulletin: Watson Explorer is affected by an Apache Zookeeper vulnerability (CVE-2019-0201)	19 Aug 201910:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Netcool Agile Service Manager is affected by an Apache Zookeeper vulnerability (CVE-2019-0201)	16 Jul 201905:10	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2®	19 Apr 202116:53	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Event Streams is affected by Apache ZooKeeper vulnerability CVE-2019-0201	12 Jul 201913:45	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache Zookeeper (CVE-2019-0201, CVE-2021-21409)	19 Oct 202219:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities	24 Sep 202116:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2017-5637, CVE-2019-0201, CVE-2018-8012, CVE-2023-44981)	8 Oct 202418:03	–	ibm
IBM Security Bulletins	Security Bulletin: Netcool Operations Insight - Cloud Native Event Analytics is affected by an Apache Zookeeper vulnerability (CVE-2019-0201)	20 Dec 201908:47	–	ibm
IBM Security Bulletins	Security Bulletin: Apache ZooKeeper as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2019-0201)	21 Sep 202014:25	–	ibm

Vulners

Node

novell suse_openstack_cloudMatch8

red_hat jboss_fuseMatch7

red_hat jboss_fuseMatch6.3

red_hat jboss_a-mqMatch6.3

novell hpe_helion_openstackMatch8

novell suse_openstack_cloudMatch9

apache zookeeperRange1.0.0–3.4.13

apache zookeeperRange3.5.0-alpha–3.5.4-beta

red_hat red_hat_jboss_data_virtualizationMatch6.4

oracle oracle_timesten_in-memory_databaseRange<18.1.3.1.0

Source	Link
issues	www.issues.apache.org/jira/browse/ZOOKEEPER-1392
debian	www.debian.org/security/2019/dsa-4461
lists	www.lists.debian.org/debian-lts-announce/2019/05/msg00033.html
suse	www.suse.com/security/cve/CVE-2019-0201/
access	www.access.redhat.com/security/cve/CVE-2019-0201
oracle	www.oracle.com/security-alerts/cpuoct2020.html
wiki	www.wiki.astralinux.ru/astra-linux-se15-bulletin-20201201SE15
strelets	www.strelets.net/patchi-i-obnovleniya-bezopasnosti
repo	www.repo.red-soft.ru/redos/7.3c/x86_64/updates/
web	www.web.nvd.nist.gov/view/vuln/detail

27 Aug 2024 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 25.4

CVSS 35.9

EPSS0.00212