CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
72.6%
The version of Apache ZooKeeper listening on the remote host is prior to 3.7.2, 3.8.x prior to 3.8.3 or 3.9.x prior to 3.9.1. It is, therefore, affected by the following:
#%NASL_MIN_LEVEL 80900
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable, Inc.
#
include('compat.inc');
if (description)
{
script_id(183520);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/23");
script_cve_id("CVE-2023-44981");
script_name(english:"Apache ZooKeeper 3.7.x < 3.7.2, 3.8.x < 3.8.3, 3.9.x < 3.9.1 Authorization Bypass");
script_set_attribute(attribute:"synopsis", value:
"The remote Apache ZooKeeper server is affected by an authorization bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Apache ZooKeeper listening on the remote host is prior to 3.7.2, 3.8.x prior to 3.8.3 or 3.9.x prior
to 3.9.1. It is, therefore, affected by the following:
- Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer
authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying
that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL
auth ID is optional and if it's missing, like '[email protected]', the authorization check will be skipped. As
a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader,
essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled
by default. (CVE-2023-44981)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://zookeeper.apache.org/security.html");
script_set_attribute(attribute:"solution", value:
"Update to Apache ZooKeeper 3.7.2, 3.8.3, 3.9.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-44981");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/11");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/20");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:zookeeper");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("apache_zookeeper_detect.nasl");
script_require_keys("Settings/ParanoidReport");
script_require_ports("Services/zookeeper", 2181);
exit(0);
}
include("vcf.inc");
var port = get_service(svc:"zookeeper", default:2181, exit_on_fail:TRUE);
var app_info = vcf::get_app_info(app:"Apache Zookeeper", port:port, service:TRUE);
# We can't check whether SASL Quorum Peer authentication is enabled
# so paranoid report.
if (report_paranoia < 2) audit(AUDIT_PARANOID);
var constraints = [
{ "min_version" : "0.0", "fixed_version" : "3.7.2" },
{ "min_version" : "3.8.0", "fixed_version" : "3.8.3" },
{ "min_version" : "3.9.0", "fixed_version" : "3.9.1" },
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);