Apache ZooKeeper is affected by unauthorized information disclosure. getACL()
command does not check permissions when retrieving the ACLs of the requested node. Consequently, plaintext information contained in the ACL Id
field is returned. This allows an attacker to retrieve users’ Id
and authentication digests, and gain access to the application on behalf of the user.
www.securityfocus.com/bid/108427
access.redhat.com/errata/RHSA-2019:3140
access.redhat.com/errata/RHSA-2019:3892
access.redhat.com/errata/RHSA-2019:4352
issues.apache.org/jira/browse/ZOOKEEPER-1392
issues.apache.org/jira/secure/attachment/12595780/ZOOKEEPER-1392.patch
lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E
lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E
lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E
lists.debian.org/debian-lts-announce/2019/05/msg00033.html
seclists.org/bugtraq/2019/Jun/13
security.netapp.com/advisory/ntap-20190619-0001/
www.debian.org/security/2019/dsa-4461
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpujul2020.html
www.oracle.com/security-alerts/cpuoct2020.html
zookeeper.apache.org/security.html#CVE-2019-0201