Vulnerability Details : CVE-2017-5637
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
Products affected by CVE-2017-5637
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-5637
4.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-5637
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-5637
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5637
-
https://issues.apache.org/jira/browse/ZOOKEEPER-2693
[ZOOKEEPER-2693] DOS attack on wchp/wchc four letter words (4lw) - ASF JIRAIssue Tracking;Mitigation;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2017:2477
RHSA-2017:2477 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020
-
https://access.redhat.com/errata/RHSA-2017:3354
RHSA-2017:3354 - Security Advisory - Red Hat Customer Portal
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021
-
http://www.securityfocus.com/bid/98814
Apache Zookeeper CVE-2017-5637 Denial of Service VulnerabilityVDB Entry;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3355
RHSA-2017:3355 - Security Advisory - Red Hat Customer Portal
-
http://www.debian.org/security/2017/dsa-3871
Debian -- Security Information -- DSA-3871-1 zookeeperThird Party Advisory
-
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
svn commit: r1869773 - /nifi/site/trunk/security.html - Pony Mail
-
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
svn commit: r1873083 - /nifi/site/trunk/security.html - Pony Mail
-
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
Jump to