CVE-2023-44981 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2023-44981 Interim 1 8 2025-08-06T01:25:03Z current 2023-10-12T13:44:37Z 2025-08-06T01:25:03Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2023-44981 Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 zookeeper zookeeper-server zookeeper-server as a component of HPE Helion OpenStack 8 zookeeper as a component of HPE Helion OpenStack 8 zookeeper-server as a component of SUSE OpenStack Cloud 8 zookeeper as a component of SUSE OpenStack Cloud 8 zookeeper-server as a component of SUSE OpenStack Cloud 9 zookeeper as a component of SUSE OpenStack Cloud 9 zookeeper-server as a component of SUSE OpenStack Cloud Crowbar 8 zookeeper as a component of SUSE OpenStack Cloud Crowbar 8 zookeeper-server as a component of SUSE OpenStack Cloud Crowbar 9 zookeeper as a component of SUSE OpenStack Cloud Crowbar 9 Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration. CVE-2023-44981 HPE Helion OpenStack 8:zookeeper HPE Helion OpenStack 8:zookeeper-server SUSE OpenStack Cloud 8:zookeeper SUSE OpenStack Cloud 8:zookeeper-server SUSE OpenStack Cloud 9:zookeeper SUSE OpenStack Cloud 9:zookeeper-server SUSE OpenStack Cloud Crowbar 8:zookeeper SUSE OpenStack Cloud Crowbar 8:zookeeper-server SUSE OpenStack Cloud Crowbar 9:zookeeper SUSE OpenStack Cloud Crowbar 9:zookeeper-server moderate 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N