CVE-2023-44981: Authorization Bypass vulnerability in zookeeper (Maven)

What is CVE-2023-44981 About?

This vulnerability in Apache ZooKeeper is an authorization bypass that occurs when SASL Quorum Peer authentication is enabled but the instance part of the SASL ID is missing. This allows an unauthorized endpoint to join the cluster, gaining full read-write access to the data tree. Exploitation is relatively straightforward for an attacker who can connect to the Zookeeper ensemble.

Affected Software

org.apache.zookeeper:zookeeper
- <3.7.2
- >3.9.0, <3.9.1
- >3.8.0, <3.8.3

Technical Details

The vulnerability affects Apache ZooKeeper when SASL Quorum Peer authentication (quorum.auth.enableSasl=true) is configured. The authorization mechanism relies on verifying the instance part of the SASL authentication ID against the zoo.cfg server list. However, if the instance part is omitted from the SASL auth ID (e.g., 'eve@EXAMPLE.COM' instead of 'instance1/host@EXAMPLE.COM'), the authorization check is entirely skipped. This failure in the authorization logic allows any arbitrary endpoint with a valid SASL principal (without an instance part) to successfully join the ZooKeeper ensemble. Once joined, this unauthorized peer can propagate counterfeit changes to the leader, effectively achieving complete read-write control over the ZooKeeper data tree, bypassing all intended access controls.

What is the Impact of CVE-2023-44981?

Successful exploitation may allow attackers to bypass authorization controls, join the ZooKeeper cluster as an unauthorized peer, and gain complete read-write access to the data tree, compromising data integrity and confidentiality.

What is the Exploitability of CVE-2023-44981?

Exploitation requires the attacker to be able to connect to the ZooKeeper ensemble and present a SASL authentication ID without the instance part. The complexity is low to medium, as it leverages a specific configuration and input format. Authentication to the SASL realm is still required, but the authorization check itself is bypassed; therefore, an attacker needs valid credentials for the SASL realm but doesn't need to be an authorized ZooKeeper peer. No specific high privileges are needed from the attacker's perspective beyond what is necessary to connect and authenticate. This is a remote vulnerability, as an attacker would connect to the ZooKeeper cluster over the network. The special condition is that SASL Quorum Peer authentication must be enabled, and the attacker must know how to craft a SASL ID that bypasses the instance check. Risk factors include publicly accessible ZooKeeper instances with SASL authentication enabled.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2023-44981?

A Fix by Resolved Security Exists!

See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

The patch ensures that host-based authorization checks are enforced only when a non-DIGEST authentication mechanism (such as Kerberos) is used, by checking the authentication type before validating the connecting peer's authorized host status. This fixes CVE-2023-44981 by preventing an authorization bypass in SASL quorum peer authentication, where previously an attacker could potentially join a quorum using DIGEST-MD5 without proper host authorization checks being applied.

Available Upgrade Options

org.apache.zookeeper:zookeeper
- <3.7.2 → Upgrade to 3.7.2
org.apache.zookeeper:zookeeper
- >3.8.0, <3.8.3 → Upgrade to 3.8.3
org.apache.zookeeper:zookeeper
- >3.9.0, <3.9.1 → Upgrade to 3.9.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-44981?

Similar Vulnerabilities: CVE-2022-30043 , CVE-2020-13956 , CVE-2019-0201 , CVE-2017-5645 , CVE-2014-0050

CVE-2023-44981 Authorization Bypass vulnerability in zookeeper (Maven)