Apache ZooKeeper Security Alert: Important Flaw Impacts Admin Server (CVE-2024-51504)

CVE-2024-51504

Apache ZooKeeper, the widely used centralized service for managing configuration and synchronization across distributed applications, has recently issued a security advisory regarding a significant vulnerability: CVE-2024-51504. This flaw, rated as an “important” severity issue, exposes ZooKeeper Admin Server to potential authentication bypass via IP spoofing.

The vulnerability lies in ZooKeeper’s IP-based authentication mechanism, which utilizes the IPAuthenticationProvider in the Admin Server. Due to weak default configurations in IP address detection, attackers can bypass authentication by spoofing the client’s IP address. Apache’s advisory says, “the default configuration honors X-Forwarded-For HTTP header to read client’s IP address.” Unfortunately, this header can be easily manipulated, as “X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker.”

In the event of successful exploitation, attackers gain unauthorized access to critical Admin Server commands, including snapshot and restore operations. These commands allow direct interaction with the server’s configuration and backup processes, potentially leading to information leakage and service availability issues.

Once exploited, this vulnerability poses a significant risk to ZooKeeper’s integrity, particularly for organizations relying on ZooKeeper for crucial configuration and group services across distributed applications. The advisory warns that “Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation.”

CVE-2024-51504 was identified and reported by security researchers 4ra1n and Y4tacker.

The Apache ZooKeeper team urges users to update to version 3.9.3, which provides essential fixes to address the vulnerability. This updated version includes stronger authentication checks, reducing the risk of IP spoofing attacks by reinforcing client identity verification. Given the absence of effective workarounds, immediate upgrading is recommended for any organization utilizing vulnerable versions.

Related Posts: