Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM890D26C1A7349CE38D9DBC95CF46F2E9DB9DCD816F51C610D2089508498FEC3E
HistoryJul 12, 2024 - 5:04 a.m.

Security Bulletin: Information disclosure in persistent watchers handling

2024-07-1205:04:33
www.ibm.com
6
apache zookeeper
persistent watchers
information disclosure
acl check
upgrade
powervc
version 3.9.2
version 3.8.4
cve-2024-23944
cvss score
sensitive information
powervc 2.1.1
powervc 2.1.1.1
powervc 2.2.0

AI Score

5.7

Confidence

High

JSON

Summary

Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn’t do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It’s important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.

Vulnerability Details

CVEID:CVE-2024-23944
**DESCRIPTION:**Apache ZooKeeper could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in persistent watchers handling. By attaching a persistent watcher to a parent, an attacker could exploit this vulnerability to obtain information of the full path of znodes, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
PowerVC All

Remediation/Fixes

PowerVC Version Fix
2.1.1 https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/PowerVC&release=2.1.1&platform=All&function=fixId&fixids=2.1.1-PowerVC-RHEL-SLES-NOARCH-APAR-IT45537&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true
2.1.1.1 https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/PowerVC&release=2.1.1.1&platform=All&function=fixId&fixids=2.1.1.1-PowerVC-RHEL-SLES-NOARCH-APAR-IT45572&includeRequisites=1&includeSupersedes=0&downloadMethod=http
2.2.0 https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/PowerVC&release=2.2.0&platform=All&function=fixId&fixids=2.2.0-PowerVC-RHEL-SLES-NOARCH-APAR-IT45538&includeRequisites=1&includeSupersedes=0&downloadMethod=http

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmpowervcMatchanystandard
VendorProductVersionCPE
ibmpowervcanycpe:2.3:a:ibm:powervc:any:*:*:*:standard:*:*:*

Related

osv 7
ibm 9
vulnrichment 1
cgr 1
debiancve 1
veracode 1
nessus 2
ubuntucve 1
cvelist 1
wolfi 1
github 1
nvd 1
cve 1
redos 1
redhat 1
oracle 1
osv
osv
CGA-h562-6hp9-9x2q
2024-06-06 12:27:37
CGA-mrr6-55fr-72mh
2024-06-06 12:28:34
BIT-zookeeper-2024-23944
2024-03-31 18:32:55
ibm
ibm
Security Bulletin: IBM Watson Explorer affected by vulnerability in Apache ZooKeeper.(CVE-2024-23944)
2024-06-20 06:47:46
Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities
2024-05-20 06:22:17
Security Bulletin: Multiple vulnerabilities fixed in IBM Security Verify Information Queue
2024-08-05 09:25:26
vulnrichment
vulnrichment
CVE-2024-23944 Apache ZooKeeper: Information disclosure in persistent watcher handling
2024-03-15 10:26:12
cgr
cgr
CVE-2024-23944 vulnerabilities
2024-05-19 03:07:16
debiancve
debiancve
CVE-2024-23944
2024-03-15 11:15:08
veracode
veracode
Sensitive Information Disclosure
2024-03-18 07:08:30
nessus
nessus
Apache ZooKeeper 3.6.x <= 3.7.2, 3.8.x < 3.8.4, 3.9.x < 3.9.2 Information Disclosure
2024-03-21 00:00:00
Oracle Primavera Unifier (Jul 2024 CPU)
2024-07-18 00:00:00
ubuntucve
ubuntucve
CVE-2024-23944
2024-03-15 00:00:00
cvelist
cvelist
CVE-2024-23944 Apache ZooKeeper: Information disclosure in persistent watcher handling
2024-03-15 10:26:12
wolfi
wolfi
CVE-2024-23944 vulnerabilities
2024-09-19 09:11:50
github
github
Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling
2024-03-15 12:30:37
nvd
nvd
CVE-2024-23944
2024-03-15 11:15:08
cve
cve
CVE-2024-23944
2024-03-15 11:15:08
redos
redos
ROS-20240815-05
2024-08-15 00:00:00
redhat
redhat
(RHSA-2024:6536) Moderate: Red Hat AMQ Streams 2.5.2 release and security update
2024-09-10 14:17:57
oracle
oracle
Oracle Critical Patch Update Advisory - July 2024
2024-07-16 00:00:00

AI Score

5.7

Confidence

High

JSON
Related for 890D26C1A7349CE38D9DBC95CF46F2E9DB9DCD816F51C610D2089508498FEC3E
osv7ibm9vulnrichment1cgr1debiancve1veracode1nessus2ubuntucve1cvelist1wolfi1github1nvd1cve1redos1redhat1oracle1