Cisco: there’s a bad bug in open source software that a Netflix engineer abandoned in 2016 – CSO Australia

Posted on by

Cisco has disclosed a bug in Exhibitor, a popular open source package for the Apache Zookeeper server for distributed applications in the cloud.

Exhibitor is an open source program developed by Netflix to help deal with ephemeral cloud instances within Zookeeper, which wasnt built to handle cases where hosts dont know the hostnames of other hosts within an ensemble of container engines.

As Google Cloud explains, Exhibitor is a supervisor process that coordinates the configuration and execution of Zookeeper processes across many hosts, which gives Zookeeper users backup and restore capabilities and provides a GUI for Zookeeper nodes among other things.

About three months ago Cisco researchers discovered a fairly serious security issue in the Exhibitors web UI component, which lacks any form of authentication, leaving it exposed to an exploitable command injection vulnerability.

Cisco disclosed details about the flaw because its report about the flaw was not addressed within its 90 day disclosure policy.

The bug appears not to have been addressed because the former Netflix platform engineer who created Exhibitor, Jordan Zimmerman, abandoned the software in September 2016. Zimmerman was explaining to distributed system developers what Exhibitor was in 2012.

Exactly how widely the software is still used isnt known, but Zimmerman guessed that Exhibitor will just die if there was no interest among developers to maintain it after he stopped working on it.

Google posted blog Taming the herd: using Zookeeper and Exhibitor on Google Container Enginea few months before Zimmerman announced he would no longer maintain the software.

The other major issue is that prior to version 1.7.0, the Exhibitor supervisor did not have any way to specify which interfaces to listen on, according to Cisco.

Read more: Get ready for Trump fake ransomware: trump.exe and Trump Screen of Death

Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper, explains Cisco Talos Intelligence researcher Jon Munshaw.

The command injection flaw is present in Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1, according to Munshaw.

Given the slim chances of a fix being created, anyone still using Exhibitor should probably remove the software as soon as possible.

Error: Please check your email address.

Tags Cloudopen sourcecisconetflixGoogle CloudTalos Intelligence

More about ApacheCiscoGoogleNetflix

Original post:
Cisco: there's a bad bug in open source software that a Netflix engineer abandoned in 2016 - CSO Australia

Related Posts
This entry was posted in $1$s. Bookmark the permalink.