zhangpeng created ZOOKEEPER-4977:
------------------------------------
Summary: superDigest configuration found in embedded pom.xml
within zookeeper-3.9.3.jar
Key: ZOOKEEPER-4977
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4977
Project: ZooKeeper
Issue Type: Bug
Components: security
Affects Versions: 3.9.3
Reporter: zhangpeng
{{superDigest}} configuration found in embedded {{pom.xml}} within
zookeeper-3.9.3.jar
<zookeeper.DigestAuthenticationProvider.superDigest>super:D/InIHSb7yEEbrWz8b9l71RjZJU=</zookeeper.DigestAuthenticationProvider.superDigest>
*Environment:*
* ZooKeeper Version: 3.9.3 (the official binary distribution from Maven
Central)
* JDK Version: N/A (discovered during static analysis of the JAR file)
* OS: N/A
*Problem Description:*
During a routine security audit of our application dependencies, we discovered
that the {{zookeeper-3.9.3.jar}} file contains its own {{pom.xml}} file at the
path {{{}META-INF/maven/org.apache.zookeeper/zookeeper/pom.xml{}}}. This
embedded {{pom.xml}} file includes a property configuration for
{{zookeeper.DigestAuthenticationProvider.superDigest}} with a pre-defined hash
value.
*Steps to Reproduce:*
# Download the official {{org.apache.zookeeper:zookeeper:3.9.3}} JAR from
Maven Central.
# Extract the JAR file or use a tool ({{{}jar -tf{}}}, {{{}unzip -l{}}}, IDE)
to list its contents.
# Locate the file {{META-INF/maven/org.apache.zookeeper/zookeeper/pom.xml}}
inside the JAR.
# Inspect the content of this {{pom.xml}} file. On line 283 (or nearby), you
will find:
{{<zookeeper.DigestAuthenticationProvider.superDigest>super:D/InIHSb7yEEbrWz8b9l71RjZJU=</zookeeper.DigestAuthenticationProvider.superDigest>}}
*Expected Behavior:*
The published binary JAR artifacts should not contain any residual or testing
configuration files that include sensitive properties, especially those related
to security authentication like the superuser digest. The build/packaging
process should strip such elements from the final release artifact.
*Actual Behavior:*
The released {{zookeeper-3.9.3.jar}} contains an embedded {{pom.xml}} which
includes a configured {{superDigest}} property. While this is a hash and not a
plaintext password, its presence in a widely distributed binary is a potential
security risk.
*Potential Risk:*
# *Information Disclosure:* This exposes a known credential hash, which
violates the principle of least surprise and could be used in conjunction with
other vulnerabilities (e.g., CVE-2014-085 - information disclosure in logs).
# *Increased Attack Surface:* If an attacker gains access to the JAR file
(e.g., through a deployment leak), they extract this hash. Although SHA-1
hashing is used, it could potentially be targeted for brute-force attacks if
the original password was weak, potentially granting superuser access to a
ZooKeeper ensemble.
# *Bad Practice:* The presence of this configuration, even if not activated by
default, sets a poor security precedent for users who might find it and
mistakenly use it without generating a new secure digest.
!image-2025-09-15-16-00-33-152.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
