CVE-2017-5637

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

History

07 Nov 2023, 02:49

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E', 'name': '[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E', 'name': '[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E', 'name': '[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E', 'name': '[dev] 20171009 [SECURITY] CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -
  • () https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E -
  • () https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E -
  • () https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E -
  • () https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E -

20 Jul 2021, 23:15

Type Values Removed Values Added
References (BID) http://www.securityfocus.com/bid/98814 - Third Party Advisory, VDB Entry (BID) http://www.securityfocus.com/bid/98814 - VDB Entry, Third Party Advisory

Information

Published : 2017-10-10 01:30

Updated : 2023-12-10 12:15


NVD link : CVE-2017-5637

Mitre link : CVE-2017-5637

CVE.ORG link : CVE-2017-5637


JSON object : View

Products Affected

debian

  • debian_linux

apache

  • zookeeper
CWE
CWE-306

Missing Authentication for Critical Function

CWE-400

Uncontrolled Resource Consumption