Cisco has disclosed a bug in Exhibitor, a popular open source package for the Apache Zookeeper server for distributed applications in the cloud.
Exhibitor is an open source program developed by Netflix to help deal with ephemeral cloud instances within Zookeeper, which wasn’t built to handle cases where hosts don’t know the hostnames of other hosts within an ‘ensemble’ of container engines.
As Google Cloud explains, Exhibitor is “a supervisor process that coordinates the configuration and execution of Zookeeper processes across many hosts”, which gives Zookeeper users backup and restore capabilities and provides a GUI for Zookeeper nodes among other things.
About three months ago Cisco researchers discovered a fairly serious security issue in the Exhibitor’s web UI component, which lacks any form of authentication, leaving it exposed to an exploitable command injection vulnerability.
Cisco disclosed details about the flaw because its report about the flaw was not addressed within its 90 day disclosure policy.
The bug appears not to have been addressed because the former Netflix platform engineer who created Exhibitor, Jordan Zimmerman, abandoned the software in September 2016. Zimmerman was explaining to distributed system developers what Exhibitor was in 2012.
Exactly how widely the software is still used isn’t known, but Zimmerman guessed that “Exhibitor will just die” if there was no interest among developers to maintain it after he stopped working on it.
Google posted blog “Taming the herd: using Zookeeper and Exhibitor on Google Container Engine” a few months before Zimmerman announced he would no longer maintain the software.
The other major issue is that prior to version 1.7.0, the Exhibitor supervisor “did not have any way to specify which interfaces to listen on,” according to Cisco.
“Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper,” explains Cisco Talos Intelligence researcher Jon Munshaw.
The command injection flaw is present in Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1, according to Munshaw.
Given the slim chances of a fix being created, anyone still using Exhibitor should probably remove the software as soon as possible.