一、漏洞简介¶

1.1 漏洞背景¶

ZooKeeper AdminServer 支持 IP 地址认证机制（IPAuthenticationProvider），通过检查客户端 IP 地址来控制访问权限。这是一种常见的轻量级认证方式。

1.2 漏洞概述（包含 CVE 编号、危害等级、漏洞类型、披露时间等）¶

项目	内容
漏洞编号	CVE-2024-51504
危害等级	CRITICAL / 9.1
漏洞类型	IP认证绕过
披露时间	2024-11-07
影响组件	Apache ZooKeeper 安全

属性	值
CVE编号	CVE-2024-51504
危害等级	Important（重要）
漏洞类型	认证绕过 (CWE-290)
发现者	4ra1n, Y4tacker

漏洞描述： 当 ZooKeeper AdminServer 使用 IPAuthenticationProvider 进行 IP 认证时，默认配置通过 HTTP 请求头（特别是 X-Forwarded-For）来获取客户端 IP 地址。攻击者可以通过伪造该请求头绕过 IP 认证，从而执行 snapshot、restore 等管理命令。

补充核验信息：公开时间：2024-11-07；NVD 评分：9.1（CRITICAL）；CWE：CWE-290。

二、影响范围¶

2.1 受影响的版本¶

Apache ZooKeeper 3.9.0 至 3.9.2

2.2 不受影响的版本¶

Apache ZooKeeper < 3.9.0
Apache ZooKeeper ≥ 3.9.3

2.3 触发条件（如特定模块、特定配置、特定运行环境等）¶

启用了 AdminServer
使用 IPAuthenticationProvider 进行认证
配置允许特定 IP 访问
服务部署在代理服务器之后（常见场景）

三、漏洞详情与原理解析¶

3.1 漏洞触发机制¶

正常认证流程:
┌─────────┐     ┌─────────┐     ┌─────────────┐
│ 客户端   │────>│ 代理服务器│────>│ ZooKeeper   │
│10.0.0.1 │     │         │     │ AdminServer │
└─────────┘     └─────────┘     └─────────────┘
                     │
                     └── X-Forwarded-For: 10.0.0.1

攻击流程:
┌─────────┐     ┌─────────┐     ┌─────────────┐
│ 攻击者   │────>│ 代理服务器│────>│ ZooKeeper   │
│ 任意IP   │     │         │     │ AdminServer │
└─────────┘     └─────────┘     └─────────────┘
     │
     └── X-Forwarded-For: 10.0.0.1 (伪造的白名单IP)

3.2 源码层面的根因分析（结合源码与补丁对比）¶

漏洞代码位置： zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/IPAuthenticationProvider.java

// 受影响代码 (简化示例)
public class IPAuthenticationProvider implements AuthenticationProvider {

    @Override
    public String getScheme() {
        return "ip";
    }

    // 问题：直接从请求头读取 IP
    public String getClientIP(HttpServletRequest request) {
        // 优先读取 X-Forwarded-For 头 - 漏洞点!
        String forwardedFor = request.getHeader("X-Forwarded-For");
        if (forwardedFor != null && !forwardedFor.isEmpty()) {
            return forwardedFor.split(",")[0].trim();
        }

        // 回退到真实 IP
        return request.getRemoteAddr();
    }

    @Override
    public boolean isAuthenticated() {
        return true;
    }
}

修复后代码：

public class IPAuthenticationProvider implements AuthenticationProvider {

    private final boolean trustProxyHeaders;
    private final Set<String> trustedProxies;

    public String getClientIP(HttpServletRequest request) {
        // 修复：仅在明确配置时信任代理头
        if (trustProxyHeaders) {
            // 验证请求来自可信代理
            if (trustedProxies.contains(request.getRemoteAddr())) {
                String forwardedFor = request.getHeader("X-Forwarded-For");
                if (forwardedFor != null) {
                    return parseFirstIP(forwardedFor);
                }
            }
        }

        // 默认使用直接连接 IP
        return request.getRemoteAddr();
    }
}

四、漏洞复现（可选）¶

4.1 环境搭建¶

```bash

下载受影响版本¶

wget https://archive.apache.org/dist/z

4.2 PoC 演示与测试过程¶

暂无公开可验证复现信息。

五、修复建议与缓解措施¶

5.1 官方版本升级建议¶

优先升级到 3.9.3 或同等后续安全版本。
升级前请结合官方发布说明确认兼容性与回滚方案。

5.2 临时缓解方案（如修改配置文件、关闭相关模块、增加 WAF 规则等）¶

在完成版本升级前，建议将相关服务限制在可信网络边界内，并最小化暴露面。
对高风险接口、插件或调试功能实施临时下线、访问控制与日志监控。

六、参考信息 / 参考链接¶

6.1 官方安全通告¶

https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh
https://archive.apache.org/dist/z

6.2 其他技术参考资料¶

NVD：https://nvd.nist.gov/vuln/detail/CVE-2024-51504
CVE：https://www.cve.org/CVERecord?id=CVE-2024-51504
http://www.openwall.com/lists/oss-security/2024/11/06/5
https://archive.apache.org/dist/z

<hr />

Apache ZooKeeper ???????CVE-2016-5017?¶

??????¶

1.1 ????¶

Apache ZooKeeper ???????????? CVE-2016-5017 ??????????????????????? HIGH?CVSS 8.1?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2016-5017
????	HIGH
CVSS ??	8.1
????	CWE-119
????	2016-09-21
????	Apache ZooKeeper

??????¶

2.1 ??????¶

apache:zookeeper:*, <= 3.4.8
apache:zookeeper:3.5.0
apache:zookeeper:3.5.1
apache:zookeeper:3.5.2

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-119?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2016-5017
https://www.cve.org/CVERecord?id=CVE-2016-5017
http://packetstormsecurity.com/files/138755/ZooKeeper-3.4.8-3.5.2-Buffer-Overflow.html
http://www.openwall.com/lists/oss-security/2016/09/17/3
http://www.securityfocus.com/bid/93044
https://git-wip-us.apache.org/repos/asf?p=zookeeper.git%3Ba=commitdiff%3Bh=27ecf981a15554dc8e64a28630af7a5c9e2bdf4f
https://git-wip-us.apache.org/repos/asf?p=zookeeper.git%3Ba=commitdiff%3Bh=f09154d6648eeb4ec5e1ac8a2bacbd2f8c87c14a
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E

<hr />

Apache ZooKeeper ???????CVE-2017-5637?¶

??????¶

1.1 ????¶

Apache ZooKeeper ???????????? CVE-2017-5637 ??????????????????????? HIGH?CVSS 7.5?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2017-5637
????	HIGH
CVSS ??	7.5
????	CWE-306?CWE-400
????	2017-10-10
????	Apache ZooKeeper

??????¶

2.1 ??????¶

apache:zookeeper:3.4.0
apache:zookeeper:3.4.1
apache:zookeeper:3.4.2
apache:zookeeper:3.4.3
apache:zookeeper:3.4.4
apache:zookeeper:3.4.5
apache:zookeeper:3.4.6
apache:zookeeper:3.4.7

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-306?CWE-400?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2017-5637
https://www.cve.org/CVERecord?id=CVE-2017-5637
http://www.debian.org/security/2017/dsa-3871
http://www.securityfocus.com/bid/98814
https://access.redhat.com/errata/RHSA-2017:2477
https://access.redhat.com/errata/RHSA-2017:3354
https://access.redhat.com/errata/RHSA-2017:3355
https://issues.apache.org/jira/browse/ZOOKEEPER-2693

<hr />

Apache ZooKeeper ???????CVE-2018-8012?¶

??????¶

1.1 ????¶

Apache ZooKeeper ???????????? CVE-2018-8012 ??????????????????????? HIGH?CVSS 7.5?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2018-8012
????	HIGH
CVSS ??	7.5
????	CWE-862
????	2018-05-21
????	Apache ZooKeeper

??????¶

2.1 ??????¶

apache:zookeeper:*, < 3.4.10
apache:zookeeper:*, >= 3.5.0, <= 3.5.3
apache:zookeeper:3.5.0
apache:zookeeper:3.5.3
debian:debian_linux:8.0
debian:debian_linux:9.0
oracle:goldengate_stream_analytics:*, < 19.1.0.0.1

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-862?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2018-8012
https://www.cve.org/CVERecord?id=CVE-2018-8012
http://www.securityfocus.com/bid/104253
http://www.securitytracker.com/id/1040948
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393%40%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f%40%3Coak-commits.jackrabbit.apache.org%3E

<hr />

Apache ZooKeeper ???????CVE-2019-0201?¶

??????¶

1.1 ????¶

Apache ZooKeeper ???????????? CVE-2019-0201 ??????????????????????? MEDIUM?CVSS 5.9?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2019-0201
????	MEDIUM
CVSS ??	5.9
????	CWE-862
????	2019-05-23
????	Apache ZooKeeper

??????¶

2.1 ??????¶

apache:activemq:5.15.9
apache:drill:1.16.0
apache:zookeeper:*, >= 1.0.0, <= 3.4.13
apache:zookeeper:3.5.0
apache:zookeeper:3.5.1
apache:zookeeper:3.5.2
apache:zookeeper:3.5.3
apache:zookeeper:3.5.4

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id f...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-862?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2019-0201
https://www.cve.org/CVERecord?id=CVE-2019-0201
http://www.securityfocus.com/bid/108427
https://access.redhat.com/errata/RHSA-2019:3140
https://access.redhat.com/errata/RHSA-2019:3892
https://access.redhat.com/errata/RHSA-2019:4352
https://issues.apache.org/jira/browse/ZOOKEEPER-1392
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E

<hr />

Apache ZooKeeper ???????CVE-2021-21295?¶

??????¶

1.1 ????¶

Apache ZooKeeper ???????????? CVE-2021-21295 ??????????????????????? MEDIUM?CVSS 5.9?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2021-21295
????	MEDIUM
CVSS ??	5.9
????	CWE-444
????	2021-03-09
????	Apache ZooKeeper

??????¶

2.1 ??????¶

netty:netty:*, < 4.1.60
netapp:oncommand_api_services:-
netapp:oncommand_workflow_automation:-
debian:debian_linux:10.0
quarkus:quarkus:*, <= 1.13.7
apache:kudu:*, < 1.16.0
apache:zookeeper:3.5.9
oracle:communications_cloud_native_core_policy:1.14.0

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is ...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-444?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2021-21295
https://www.cve.org/CVERecord?id=CVE-2021-21295
https://github.com/Netflix/zuul/pull/980
https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E
https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E
https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E

<hr />

Apache ZooKeeper ???????CVE-2023-44981?¶

??????¶

1.1 ????¶

Apache ZooKeeper ???????????? CVE-2023-44981 ??????????????????????? CRITICAL?CVSS 9.1?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2023-44981
????	CRITICAL
CVSS ??	9.1
????	CWE-639
????	2023-10-11
????	Apache ZooKeeper

??????¶

2.1 ??????¶

apache:zookeeper:*, < 3.7.2
apache:zookeeper:*, >= 3.8.0, < 3.8.3
apache:zookeeper:3.9.0
debian:debian_linux:10.0
debian:debian_linux:11.0
debian:debian_linux:12.0

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in ...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-639?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2023-44981
https://www.cve.org/CVERecord?id=CVE-2023-44981
http://www.openwall.com/lists/oss-security/2023/10/11/4
https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html
https://security.netapp.com/advisory/ntap-20240621-0007/
https://www.debian.org/security/2023/dsa-5544

<hr />

Apache ZooKeeper ???????CVE-2024-23944?¶

??????¶

1.1 ????¶

Apache ZooKeeper ???????????? CVE-2024-23944 ??????????????????????? MEDIUM?CVSS 5.3?

1.2 ??????? CVE ???????????????????¶

??	??
????	CVE-2024-23944
????	MEDIUM
CVSS ??	5.3
????	CWE-862
????	2024-03-15
????	Apache ZooKeeper

??????¶

2.1 ??????¶

apache:zookeeper:*, >= 3.6.0, <= 3.7.2
apache:zookeeper:*, >= 3.8.0, < 3.8.4
apache:zookeeper:*, >= 3.9.0, < 3.9.2

2.2 ???????¶

NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

????????????????????????
?????????????????????????????????????

???????????¶

3.1 ??????¶

NVD ?????Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watch...
??????????????????????????? PoC ???

3.2 ????????????????????¶

?????????????CWE-862?
NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

??????????????????????????????????????????

4.2 PoC ???????¶

? CISA KEV ????????????????? KEV ????? PoC?
??????????????????????????????????????????

???????????¶

5.1 ????????¶

???????????????????????????
??????????????????????????????????????

5.2 ????????????????????????????¶

??????????????????????
???????????????????????? WAF ???
????????????????????????????

?????? / ????¶

https://nvd.nist.gov/vuln/detail/CVE-2024-23944
https://www.cve.org/CVERecord?id=CVE-2024-23944
https://lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k
http://www.openwall.com/lists/oss-security/2024/03/14/2