CVE-2024-23944
Information Disclosure vulnerability in zookeeper (Maven)
What is CVE-2024-23944 About?
This Information Disclosure vulnerability in Apache ZooKeeper (fixed in 3.9.2 and 3.8.4) allows an attacker to monitor child znodes without proper ACL checks. Malicious actors with existing access to a parent znode can attach a persistent watcher, exposing the full path of child znodes when events trigger. While only paths are disclosed, sensitive information can be inferred or extracted, making exploitation possible for an attacker with existing partial access.
Affected Software
- org.apache.zookeeper:zookeeper
- >3.6.0, <=3.7.2
- >3.9.0, <3.9.2
- >3.8.0, <3.8.4
Technical Details
Apache ZooKeeper versions prior to 3.9.2 and 3.8.4 contain an information disclosure vulnerability related to persistent watchers. When an attacker has existing access to a parent znode, they can attach a persistent watcher (using the 'addWatch' command) to this znode. The vulnerability occurs because ZooKeeper's server does not perform an Access Control List (ACL) check when a persistent watcher is triggered and reports an event. Consequently, the full path of any child znode that triggers a watch event is disclosed to the owner of the persistent watcher, regardless of whether the watcher owner has explicit ACL permissions to view that specific child znode. Although the data content of the znode is not exposed, znode paths can contain sensitive information, allowing an attacker to map out the structure and potentially infer secrets within the ZooKeeper hierarchy.
What is the Impact of CVE-2024-23944?
Successful exploitation may allow attackers to gain unauthorized access to znode paths, gather sensitive information about the system's structure and configuration, or aid in further attacks.
What is the Exploitability of CVE-2024-23944?
Exploitation of this vulnerability requires the attacker to already have authenticated access to a parent znode within ZooKeeper. The complexity is low to moderate, as it involves initiating a persistent watcher with the appropriate command. The attacker needs existing privileges to the parent znode, but not necessarily to the child znodes whose paths are disclosed. The attack is remote, as ZooKeeper is typically accessed over a network. While no data is disclosed directly, the exposure of znode paths (which may contain sensitive identifiers or names) can significantly aid in reconnaissance and subsequent targeted attacks, increasing the likelihood of overall system compromise for an attacker already present in the network.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-23944?
Available Upgrade Options
- org.apache.zookeeper:zookeeper
- >3.8.0, <3.8.4 → Upgrade to 3.8.4
- org.apache.zookeeper:zookeeper
- >3.9.0, <3.9.2 → Upgrade to 3.9.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-23944
- https://lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k
- http://www.openwall.com/lists/oss-security/2024/03/14/2
- https://github.com/apache/zookeeper/commit/29c7b9462681f47c2ac12e609341cf9f52abac5c
- http://www.openwall.com/lists/oss-security/2024/03/14/2
- https://osv.dev/vulnerability/GHSA-r978-9m6m-6gm6
- https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d
- https://github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8
- https://lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k
- https://github.com/apache/zookeeper
What are Similar Vulnerabilities to CVE-2024-23944?
Similar Vulnerabilities: CVE-2023-44983 , CVE-2023-38015 , CVE-2023-45815 , CVE-2023-28456 , CVE-2023-38190
