| Vulnerability Name: | CVE-2018-8012 (CCN-143565) |
| Assigned: | 2018-05-21 |
| Published: | 2018-05-21 |
| Updated: | 2021-09-14 |
| Summary: | No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
|
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): High
Availibility (A): None |
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): High
Availibility (A): None |
|
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None |
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None |
|
| Vulnerability Type: | CWE-862
|
| Vulnerability Consequences: | Bypass Security |
| References: | Source: MITRE
Type: CNA
CVE-2018-8012
Source: CCN
Type: oss-sec Mailing List, Fri, 18 May 2018 14:04:23 +0100
[CVE-2018-8012] Apache ZooKeeper Quorum Peer mutual authentication
Source: CCN
Type: IBM Security Bulletin 870978 (InfoSphere Data Replication)
InfoSphere Data Replication is affected by an Apache ZooKeeper open source library vulnerability
Source: BID
Type: Third Party Advisory, VDB Entry
104253
Source: CCN
Type: BID-104253
Apache ZooKeeper CVE-2018-8012 Security Bypass Vulnerability
Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040948
Source: CCN
Type: Apache Web site
Apache ZooKeeper
Source: XF
Type: UNKNOWN
apache-zookeeper-cve20188012-sec-bypass(143565)
Source: MLIST
Type: Mailing List, Vendor Advisory
[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar
Source: MLIST
Type: Mailing List, Vendor Advisory
[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html
Source: MISC
Type: Issue Tracking, Mailing List, Vendor Advisory
https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E
Source: MLIST
Type: Mailing List, Vendor Advisory
[jackrabbit-oak-commits] 20210720 [jackrabbit-oak] branch trunk updated: OAK-9496 | Update zookeeper version to handle CVE-2018-8012 (#326)
Source: MLIST
Type: Mailing List, Vendor Advisory
[jackrabbit-dev] 20210716 [GitHub] [jackrabbit-oak] nit0906 opened a new pull request #326: OAK-9496 | Update zookeeper version to handle CVE-2018-8012
Source: MLIST
Type: Mailing List, Vendor Advisory
[jackrabbit-dev] 20210716 [GitHub] [jackrabbit-oak] nit0906 commented on pull request #326: OAK-9496 | Update zookeeper version to handle CVE-2018-8012
Source: MLIST
Type: Mailing List, Vendor Advisory
[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html
Source: MLIST
Type: Mailing List, Vendor Advisory
[jackrabbit-dev] 20210720 [GitHub] [jackrabbit-oak] nit0906 merged pull request #326: OAK-9496 | Update zookeeper version to handle CVE-2018-8012
Source: DEBIAN
Type: Third Party Advisory
DSA-4214
Source: CCN
Type: IBM Security Bulletin 729891 (QRadar SIEM)
IBM QRadar Incident Forensics is vulnerable to Public disclosed vulnerability from Apache ZooKeeper (CVE-2018-8012)
Source: CCN
Type: IBM Security Bulletin 731647 (Security Guardium)
IBM Security Guardium is affected by a public disclosed vulnerability from Apache ZooKeeper
Source: CCN
Type: IBM Security Bulletin 738217 (Monitoring)
A vulnerability in Apache Zookeeper could affect IBM Performance Management products (CVE-2018-8012)
Source: CCN
Type: IBM Security Bulletin 6198380 (DB2 for Linux- UNIX and Windows)
Multiple vulnerabilities in dependent libraries affect IBM Db2 leading to denial of service or privilege escalation.
Source: CCN
Type: IBM Security Bulletin 6210366 (Monitoring)
Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product
Source: CCN
Type: IBM Security Bulletin 6444895 (Db2 Warehouse)
IBM Db2 Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2
Source: CCN
Type: IBM Security Bulletin 6491163 (Planning Analytics)
IBM Planning Analytics Workspace is affected by security vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6605881 (PureData System for Operational Analytics)
Multiple security vulnerabilities have been identified in IBM DB2 shipped with IBM PureData System for Operational Analytics
Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*OR cpe:/a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*OR cpe:/a:apache:zookeeper:*:*:*:*:*:*:*:* (Version >= 3.5.0 and <= 3.5.3)OR cpe:/a:apache:zookeeper:*:*:*:*:*:*:*:* (Version < 3.4.10)
Configuration 2:
cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Configuration 3:
cpe:/a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:* (Version < 19.1.0.0.1)
Configuration CCN 1:
cpe:/a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*OR cpe:/a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*OR cpe:/a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*OR cpe:/a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*AND cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:*OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:*OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:*OR cpe:/a:ibm:monitoring:8.1.3:*:*:*:*:*:*:*OR cpe:/a:ibm:monitoring:8.1.4:*:*:*:*:*:*:*OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.2:*:*:*:*:*:*:*OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*OR cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*OR cpe:/a:ibm:infosphere_data_replication:11.4:*:*:*:*:*:*:*OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:*OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:*OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:*OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:*OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:*OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:*OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:*OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:*OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:*OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
 Denotes that component is vulnerable |
| Oval Definitions |
|
| BACK |