Apache ZooKeeper Unauthorized Access Vulnerability
Description
Apache ZooKeeper is a distributed coordination service designed to operate within trusted network environments and accessed only by authenticated clients. This vulnerability occurs when ZooKeeper instances are exposed to untrusted networks (such as the public internet) without proper access controls, allowing unauthorized users to connect to the service.
ZooKeeper was not designed with internet-facing deployment in mind and lacks built-in authentication by default, making publicly accessible instances a significant security risk.
Remediation
Restrict network access to Apache ZooKeeper to trusted clients only by implementing the following controls:
1. Configure firewall rules to block external access and allow connections only from authorized application servers within your private network.
2. Bind ZooKeeper to internal network interfaces only by setting the following in zoo.cfg:
clientPortAddress=<internal-ip-address>
3. Enable SASL authentication to require client credentials. Add to zoo.cfg:
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider requireClientAuthScheme=sasl
4. Use ACLs (Access Control Lists) to restrict access to specific znodes for authenticated users only.
5. If internet access is absolutely required, place ZooKeeper behind a VPN or use SSH tunneling, and implement mutual TLS authentication.
6. Regularly audit ZooKeeper access logs and monitor for unauthorized connection attempts.