CVE-2024-23944: Critical Apache ZooKeeper Flaw Exposes Sensitive Data, Patch Immediately

Apache ZooKeeper, a widely used coordination service for distributed applications, has a critical security vulnerability, tracked as CVE-2024-23944. This flaw allows attackers to silently monitor sensitive information, potentially compromising systems that rely on ZooKeeper for configuration and management.

What’s ZooKeeper For?

ZooKeeper is a workhorse for many complex applications. It provides core services such as:

• Centralized Configuration: Storing and syncing settings across distributed systems, ensuring everyone is on the same page.
• Naming Services: Like a phonebook for internal systems, letting components find each other easily.
• Synchronization: Managing distributed tasks, ensuring actions happen in the correct order and resources don’t clash.

What is the Vulnerability?

The core issue lies in how ZooKeeper handles “persistent watchers.” These watchers are meant to trigger notifications when changes occur within a monitored part of ZooKeeper’s data structure. However, due to a missing security check, attackers who already have some access can use these watchers to spy on other areas they shouldn’t have visibility into.

“Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn’t do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher,” reads the security advisory.

While this vulnerability doesn’t directly leak the contents of sensitive data, it exposes the paths to those data stores. These paths often contain valuable clues like usernames, system identifiers, and configuration details that attackers can exploit.

Who’s Affected?

Any organization using the following Apache ZooKeeper versions is vulnerable:

• 3.9.0 through 3.9.1
• 3.8.0 through 3.8.3
• 3.6.0 through 3.7.2

What To Do

1. Upgrade Now: Apache has released patched versions (3.9.2, 3.8.4). Install these updates with the highest priority.
2. Review ZooKeeper Usage: Identify where ZooKeeper is in use within your systems. Prioritize patching for applications managing particularly sensitive data.
3. Limit Access: Wherever possible, enforce strict access controls around ZooKeeper to limit the attack surface, even after the patch.