|Vulnerability name||Apache Zookeeper unauthorized access vulnerability [principle scan]|
|Risk description||ZooKeeper is a high-performance distributed data consistency solution. It encapsulates complex and error prone distributed consistency services to form an efficient and reliable primitive set, and provides a series of simple and easy-to-use interfaces for customers. ZooKeeper is enabled on port 2181 by default. Without any access control, an attacker can obtain a large amount of sensitive information of the system, including system name and Java environment, by executing envi command.|
|Risk impact||An attacker can obtain a large amount of sensitive information of the system by executing envi command, including system name and Java environment.|
|Solution||1. It is forbidden to expose Zookeeper directly to the public network. 2. Add access control and select the corresponding method (authenticated user, user name and password) according to the situation. 3. Bind the specified IP access.|
Method 1: firewall authorization access
By default, zoomeeper allows unauthorized access by any client, which poses a great security risk.
Access control permission to zookeeper through iptables.
There is no solution to this problem. iptables can be temporarily used to restrict 2181 port (it will become invalid after restart). Except for its own business access, access is fully restricted, or restricted through the built-in acl of zookeeper.
iptables temporary restriction method
1. seal 2181 port:
iptables -I INPUT -p tcp --dport 2181 -j DROP
2. specify the server IP to enable 2181 access:
iptables -I INPUT -s 10.88.2.208 -p tcp --dport 2181 -j ACCEPT
iptables -I INPUT -s 10.88.2.209 -p tcp --dport 2181 -j ACCEPT
service iptables save
4. restart the firewall
service iptables restart
service firewalld restart
Note: Centos 7 can also be restricted by its own firewalld, as follows:
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="6379" drop" # firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="6379" accept"
Method 2: enable the authorization access provided by zookeeper
1. in $zookeeper_ Run under home/bin/ (run%zoomeper\u home%\bin\zkCli.cmd under windows environment. The operation after entering zkCli is the same as that under linux)
# ./zkCli.sh -server 127.0.0.1
2. log in to the zookeeper command line and execute ls/
[zk: 127.0.0.1(CONNECTED) 24] ls / [new, new2, zookeeper, zk_test] [zk: 127.0.0.1(CONNECTED) 25]
3. you can see that there are four nodes [new, new2, zookeeper, zk\u test]. Add ACLS to the root node and these four nodes:
[zk: 127.0.0.1(CONNECTED) 25] setAcl / ip:127.0.0.1:cdwar,ip:192.168.240.140:cdwar cZxid = 0x0ctime = Thu Jan 01 08:00:00 CST 1970 mZxid = 0x0 mtime = Thu Jan 01 08:00:00 CST 1970 pZxid = 0x2d cversion = 2 dataVersion = 0 aclVersion = 5 ephemeralOwner = 0x0 dataLength = 0 numChildren = 4
4. other servers need to access this zookeeper. Add it in the form of ip:192.168.240.140:cdwar at the end of the set acl command, separated by. The same is true for adding ACLS to other nodes:
[zk: 127.0.0.1(CONNECTED) 26] setAcl /new ip:127.0.0.1:cdwar,ip:192.168.240.140:cdwar cZxid = 0x26 ctime = Tue Nov 17 10:44:37 CST 2020mZxid = 0x26 mtime = Tue Nov 17 10:44:37 CST 2020 pZxid = 0x26 cversion = 0 dataVersion = 0 aclVersion = 2 ephemeralOwner = 0x0 dataLength = 18 numChildren = 0
5. after adding, check whether it succeeds through the getAcl command:
[zk: 127.0.0.1(CONNECTED) 27] getAcl / 'ip,'127.0.0. : cdrwa 'ip,'192.168.240.140 : cdrwa [zk: 127.0.0.1(CONNECTED) 28] getAcl /new 'ip,'127.0.0.1 : cdrwa 'ip,'192.168.240.140 : cdrwa [zk: 127.0.0.1(CONNECTED) 29] getAcl /new2 'ip,'127.0.0.1 : cdrwa