H3-2020-0002¶

Anonymous Access to ZooKeeper API

Description¶

The Apache ZooKeeper API allows anonymous connections. Apache ZooKeeper is a centralized service that is used for maintaining configuration information and providing distributed synchronization for distributed applications. An attacker can exploit this misconfiguration by connecting to the ZooKeeper API without authentication, allowing them to perform various unauthorized actions.

Impact¶

By exploiting this misconfiguration, an attacker can gain unauthorized access to configuration data and potentially disrupt services relying on ZooKeeper, leading to data integrity issues and possible service outages.

References¶

• CWE-284: Improper Access Control
• ZooKeeper Security
• Configuring ZooKeeper
• MITRE ATT&CK Technique: T1498: Network Denial of Service