Denial of Service Vulnerability in Apache ZooKeeper Server
CVE-2017-5637

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Zookeeper
Vendor
CVE Published:
10 October 2017

Summary

A vulnerability in Apache ZooKeeper allows specific four-letter word commands, namely 'wchp' and 'wchc', to consume excessive CPU resources. This makes it difficult for the server to handle legitimate client requests, potentially leading to a denial of service. Versions affected include 3.4.9 and 3.5.2, with fixes implemented in subsequent versions (3.4.10 and 3.5.3).

Affected Version(s)

Apache ZooKeeper 3.4.0 to 3.4.9

Apache ZooKeeper 3.5.0 to 3.5.2

References

https://lists.apache.org/thread.html/58170aeb7a681d462b7f...
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/98814
vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2017:3355
vendor-advisoryx_refsource_REDHAT

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.