############################################################ CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell Severity: moderate Vendor: The Apache Software Foundation Versions Affected: ZooKeeper 3.4.0 to 3.4.8 ZooKeeper 3.5.0 to 3.5.2 The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected Note: The 3.5 branch is still alpha at this time. Description: The ZooKeeper C client shells "cli_st" and "cli_mt" have a buffer overflow vulnerability associated with parsing of the input command when using the "cmd:<cmd>" batch mode syntax. If the command string exceeds 1024 characters a buffer overflow will occur. There is no known compromise which takes advantage of this vulnerability, and if security is enabled the attacker would be limited by client level security constraints. The C cli shell is intended as a sample/example of how to use the C client interface, not as a production tool - the documentation has also been clarified on this point. Mitigation: It is important to use the fully featured/supported Java cli shell rather than the C cli shell independent of version. - ZooKeeper 3.4.x users should upgrade to 3.4.9 or apply this patch: https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=27ecf981a15554dc8e64a28630af7a5c9e2bdf4f - ZooKeeper 3.5.x users should upgrade to 3.5.3 when released or apply this patch: https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=f09154d6648eeb4ec5e1ac8a2bacbd2f8c87c14a The patch solves the problem reported here, but it does not make the client ready for production use. The community has no plan to make this client production ready at this time, and strongly recommends that users move to the Java cli and use the C cli for illustration purposes only. Credit: This issue was discovered by Lyon Yang, an Apple security researcher. References: https://zookeeper.apache.org/security.html ############################################################