// For flags

CVE-2017-5637

Zookeeper 3.5.2 Client - Denial of Service

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Dos comandos con palabras de cuatro letras "wchp/wchc" provocan un gran consumo de CPU y podrían dar lugar a que se alcance el máximo uso de CPU en el servidor Apache ZooKeeper si se abusa de ellos, lo que da lugar a que el servidor quede deshabilitado para servir a peticiones de clientes legítimos. Las versiones de la 3.4.9 a la 3.5.2 de Apache ZooKeeper tienen este problema, que fue solucionado en las versiones 3.4.10, 3.5.3 y posteriores.

A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-01-29 CVE Reserved
  • 2017-07-02 First Exploit
  • 2017-08-15 CVE Published
  • 2023-11-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
  • CWE-306: Missing Authentication for Critical Function
  • CWE-400: Uncontrolled Resource Consumption
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.0
Search vendor "Apache" for product "Zookeeper" and version "3.4.0"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.1
Search vendor "Apache" for product "Zookeeper" and version "3.4.1"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.2
Search vendor "Apache" for product "Zookeeper" and version "3.4.2"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.3
Search vendor "Apache" for product "Zookeeper" and version "3.4.3"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.4
Search vendor "Apache" for product "Zookeeper" and version "3.4.4"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.5
Search vendor "Apache" for product "Zookeeper" and version "3.4.5"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.6
Search vendor "Apache" for product "Zookeeper" and version "3.4.6"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.7
Search vendor "Apache" for product "Zookeeper" and version "3.4.7"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.8
Search vendor "Apache" for product "Zookeeper" and version "3.4.8"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.4.9
Search vendor "Apache" for product "Zookeeper" and version "3.4.9"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.0
Search vendor "Apache" for product "Zookeeper" and version "3.5.0"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.1
Search vendor "Apache" for product "Zookeeper" and version "3.5.1"
-
Affected
Apache
Search vendor "Apache"
Zookeeper
Search vendor "Apache" for product "Zookeeper"
3.5.2
Search vendor "Apache" for product "Zookeeper" and version "3.5.2"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected