CVE-2014-0085
CVSS2.1
发布时间 :2014-04-17 10:55:06
修订时间 :2014-04-17 12:03:20
NMCPS    

[原文]Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.


[CNNVD]Apache Zookeeper 信任管理漏洞(CNNVD-201404-360)

        

Apache Zookeeper是美国阿帕奇(Apache)软件基金会的一个软件项目,它能够为大型分布式计算提供开源的分布式配置服务、同步服务和命名注册等功能。

Apache Zookeeper中存在安全漏洞,该漏洞源于程序记录明文admin密码。本地攻击者可通过读取日志利用该漏洞获取敏感信息。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-255 [凭证管理]

- CPE (受影响的平台与产品)

cpe:/a:redhat:jboss_fuse:6.0.0
cpe:/a:apache:zookeeper:-

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0085
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201404-360
(官方数据源) CNNVD

- 其它链接及资源

https://bugzilla.redhat.com/show_bug.cgi?id=1067265
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=1067265
http://secunia.com/advisories/57915
(VENDOR_ADVISORY)  SECUNIA  57915
http://rhn.redhat.com/errata/RHSA-2014-0400.html
(UNKNOWN)  REDHAT  RHSA-2014:0400

- 漏洞信息

Apache Zookeeper 信任管理漏洞
低危 信任管理
2014-04-22 00:00:00 2014-04-22 00:00:00
本地  
        

Apache Zookeeper是美国阿帕奇(Apache)软件基金会的一个软件项目,它能够为大型分布式计算提供开源的分布式配置服务、同步服务和命名注册等功能。

Apache Zookeeper中存在安全漏洞,该漏洞源于程序记录明文admin密码。本地攻击者可通过读取日志利用该漏洞获取敏感信息。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://zookeeper.apache.org/

- 漏洞信息 (F126144)

Red Hat Security Advisory 2014-0400-03 (PacketStormID:F126144)
2014-04-14 00:00:00
Red Hat  
advisory,java,remote,arbitrary,spoof
linux,redhat
CVE-2013-2035,CVE-2013-2172,CVE-2013-2192,CVE-2013-4152,CVE-2013-4517,CVE-2013-6429,CVE-2013-6430,CVE-2014-0050,CVE-2014-0054,CVE-2014-0085,CVE-2014-1904
[点击下载]

Red Hat Security Advisory 2014-0400-03 - Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Security fixes: A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Fuse 6.1.0 update
Advisory ID:       RHSA-2014:0400-03
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0400.html
Issue date:        2014-04-14
CVE Names:         CVE-2013-2035 CVE-2013-2172 CVE-2013-2192 
                   CVE-2013-4152 CVE-2013-4517 CVE-2013-6429 
                   CVE-2013-6430 CVE-2014-0050 CVE-2014-0054 
                   CVE-2014-0085 CVE-2014-1904 
=====================================================================

1. Summary:

Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Red Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat
JBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.

Security fixes:

A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially crafted XML signature block. (CVE-2013-2172)

A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)

It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. (CVE-2013-4152)

It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)

It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. (CVE-2013-6429)

The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)

A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)

It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)

A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)

An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)

The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.

3. Solution:

All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
999263 - CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw
1001326 - CVE-2013-2192 hadoop: man-in-the-middle vulnerability
1039783 - CVE-2013-6430 Spring Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters
1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
1053290 - CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw
1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
1067265 - CVE-2014-0085 Apache Zookeeper: admin user cleartext password appears in logging
1075296 - CVE-2014-1904 Spring Framework: cross-site scripting flaw when using Spring MVC
1075328 - CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-4152/CVE-2013-6429

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-2172.html
https://www.redhat.com/security/data/cve/CVE-2013-2192.html
https://www.redhat.com/security/data/cve/CVE-2013-4152.html
https://www.redhat.com/security/data/cve/CVE-2013-4517.html
https://www.redhat.com/security/data/cve/CVE-2013-6429.html
https://www.redhat.com/security/data/cve/CVE-2013-6430.html
https://www.redhat.com/security/data/cve/CVE-2014-0050.html
https://www.redhat.com/security/data/cve/CVE-2014-0054.html
https://www.redhat.com/security/data/cve/CVE-2014-0085.html
https://www.redhat.com/security/data/cve/CVE-2014-1904.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTS/JWXlSAg2UNWIIRAh+fAJ9677T5eyaDWJuYLiFlhdkjOhZncgCgwPG0
4iA38miFgmWgRtUp0Xztb6E=
=/1+z
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F126143)

Red Hat Security Advisory 2014-0401-02 (PacketStormID:F126143)
2014-04-14 00:00:00
Red Hat  
advisory
linux,redhat
CVE-2013-2035,CVE-2013-2192,CVE-2013-4152,CVE-2013-6429,CVE-2013-6430,CVE-2014-0050,CVE-2014-0054,CVE-2014-0085,CVE-2014-1904
[点击下载]

Red Hat Security Advisory 2014-0401-02 - Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss A-MQ 6.1.0 update
Advisory ID:       RHSA-2014:0401-02
Product:           Red Hat JBoss A-MQ
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0401.html
Issue date:        2014-04-14
CVE Names:         CVE-2013-2035 CVE-2013-2192 CVE-2013-4152 
                   CVE-2013-6429 CVE-2013-6430 CVE-2014-0050 
                   CVE-2014-0054 CVE-2014-0085 CVE-2014-1904 
=====================================================================

1. Summary:

Red Hat JBoss A-MQ 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Description:

Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Red Hat JBoss A-MQ 6.1.0 is a minor product release that updates Red Hat
JBoss A-MQ 6.0.0 and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.

The following security issues are resolved with this update:

A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)

It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and provides a configuration directive to re-enable
it. (CVE-2013-4152)

It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. The patch for this flaw disables external entity
processing by default, and introduces a property to re-enable it.
(CVE-2013-6429)

The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)

A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)

It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)

A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)

An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)

The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.

All users of Red Hat JBoss A-MQ 6.0.0 as provided from the Red Hat Customer
Portal are advised to apply this update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
1000186 - CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw
1001326 - CVE-2013-2192 hadoop: man-in-the-middle vulnerability
1039783 - CVE-2013-6430 Spring Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters
1053290 - CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw
1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
1067265 - CVE-2014-0085 Apache Zookeeper: admin user cleartext password appears in logging
1075296 - CVE-2014-1904 Spring Framework: cross-site scripting flaw when using Spring MVC
1075328 - CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-4152/CVE-2013-6429

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-2192.html
https://www.redhat.com/security/data/cve/CVE-2013-4152.html
https://www.redhat.com/security/data/cve/CVE-2013-6429.html
https://www.redhat.com/security/data/cve/CVE-2013-6430.html
https://www.redhat.com/security/data/cve/CVE-2014-0050.html
https://www.redhat.com/security/data/cve/CVE-2014-0054.html
https://www.redhat.com/security/data/cve/CVE-2014-0085.html
https://www.redhat.com/security/data/cve/CVE-2014-1904.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0
https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_A-MQ/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTS/SnXlSAg2UNWIIRAjfhAJ9FI0X+7Dz06mH7UxBXwT82JEYWdACgn/2k
ft7Xn9xiuZb/emiN+JXVSF4=
=qShr
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息

Apache Zookeeper CVE-2014-0085 Local Information Disclosure Vulnerability
Design Error 67013
No Yes
2014-04-17 12:00:00 2014-04-17 12:00:00
Graeme Colman

- 受影响的程序版本

- 漏洞讨论

Apache Zookeeper is prone to a local information-disclosure vulnerability.

A local attacker can exploit this issue to obtain sensitive information that may lead to further attacks.

- 漏洞利用

An attacker requires local interactive access to exploit the issue.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站