CVE-2019-0201
Information Disclosure vulnerability in zookeeper (Maven)
What is CVE-2019-0201 About?
This vulnerability in Apache ZooKeeper leads to Information Disclosure due to the `getACL()` command not checking permissions. It can expose sensitive authentication hash values in plaintext, even to unauthenticated or unprivileged users. This significantly eases unauthorized access by revealing user credentials.
Affected Software
- org.apache.zookeeper:zookeeper
- >1.0.0, <3.4.14
- >3.5.0, <3.5.5
Technical Details
Apache ZooKeeper versions 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta are affected by an Information Disclosure vulnerability. The getACL() command, intended to retrieve Access Control Lists for a node, fails to perform any permission checks before returning the ACL information. When Digest Authentication is in use, the Id field within the ACL contains the unsalted hash value used for user authentication. Consequently, any user, even unauthenticated or unprivileged, can issue a getACL() request for a node and receive this sensitive hash value in plaintext, thereby disclosing authentication credentials.
What is the Impact of CVE-2019-0201?
Successful exploitation may allow attackers to disclose sensitive information, including authentication credentials, leading to unauthorized access, privilege escalation, or further system compromise.
What is the Exploitability of CVE-2019-0201?
Exploitation of this Information Disclosure vulnerability is straightforward. It requires issuing a specific getACL() command to a ZooKeeper node. No authentication is required, as the vulnerability specifically allows unauthenticated or unprivileged users to access the information. Privilege requirements are none. This is typically a remote attack, assuming network access to the ZooKeeper instance. There are no complex special conditions; the vulnerability is due to a lack of access control enforcement on the getACL() command itself. The likelihood of exploitation increases significantly if the ZooKeeper instance is directly exposed to untrusted networks or if Digest Authentication is used, as the disclosed information is directly usable for authentication.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-0201?
About the Fix from Resolved Security
The patch ensures that when unauthenticated users or those lacking ADMIN permission request node ACLs using getACL, the password hash in digest ACL entries is masked (replaced with ":x") instead of exposing the real hash. This prevents information disclosure of credential hashes, thereby fixing CVE-2019-0201, which allowed attackers to obtain password hashes via the getACL API.
Available Upgrade Options
- org.apache.zookeeper:zookeeper
- >1.0.0, <3.4.14 → Upgrade to 3.4.14
- org.apache.zookeeper:zookeeper
- >3.5.0, <3.5.5 → Upgrade to 3.5.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:3140
- https://nvd.nist.gov/vuln/detail/CVE-2019-0201
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E
- https://access.redhat.com/errata/RHSA-2019:3140
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://seclists.org/bugtraq/2019/Jun/13
- https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-0201?
Similar Vulnerabilities: CVE-2021-44142 , CVE-2023-38887 , CVE-2022-26135 , CVE-2023-29499 , CVE-2023-3563
