CVE-2018-8012 — zookeeper - security update

Description

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

How to fix CVE-2018-8012

To remediate CVE-2018-8012, upgrade the affected package to a fixed version below.

—upgrade to 3.4.10-2 or later
—upgrade to 3.4.9-3+deb8u1 or later
—upgrade to 3.4.10 or later

Is CVE-2018-8012 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.4.10-2
from 0, < 3.4.9-3+deb8u1
from 0, < 3.4.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-8012
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-8012
WEBlists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
WEBlists.apache.org