CVE-2017-5637

Aliases:GHSA-7cwj-j333-x7f7
Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 10 Oct 2017, 01:00
Last modified:17 Sept 2024, 00:16

Vulnerability Summary

Overall Risk (default)
medium
43/100
CVSS Score
7.5 HIGH
v3.0 (nvd)
EPSS Score
17.45% MEDIUM
17% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

10 Oct 2017, 01:00
Published
Vulnerability first disclosed
17 Sept 2024, 00:16
Last Modified
Vulnerability information updated

Description

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

CVSS Metrics

  • v3.0HIGHScore: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 17.45% Percentile: 95%

Techniques & Countermeasures

  • CWE-306Missing Authentication for Critical Function

    The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • CWE-400Uncontrolled Resource Consumption

    The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

  • apache software foundationapache zookeeper

    3.4.0 to 3.4.9 | 3.5.0 to 3.5.2

  • apachezookeeper

    3.4.0 | 3.4.1 | 3.4.2 | 3.4.3 | 3.4.4 | 3.4.5 | 3.4.6 | 3.4.7 | 3.4.8 | 3.4.9 | 3.5.0 | 3.5.1 | 3.5.2

  • debiandebian_linux

    8.0

  • org.apache.zookeeperzookeeper

    ≥ 3.4.0, < 3.4.10 | ≥ 3.5.0, < 3.5.3

References (17)