Bug#1116339: zookeeper: CVE-2025-58457
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 25 20:09:31 BST 2025
Source: zookeeper
Version: 3.9.3-2
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/ZOOKEEPER-4964
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 3.9.3-1
Hi,
The following vulnerability was published for zookeeper.
CVE-2025-58457[0]:
| Improper permission check in ZooKeeper AdminServer lets authorized
| clients to run snapshot and restore command with insufficient
| permissions. This issue affects Apache ZooKeeper: from 3.9.0 before
| 3.9.4. Users are recommended to upgrade to version 3.9.4, which
| fixes the issue. The issue can be mitigated by disabling both
| commands (via admin.snapshot.enabled and admin.restore.enabled),
| disabling the whole AdminServer interface (via admin.enableServer),
| or ensuring that the root ACL does not provide open permissions.
| (Note that ZooKeeper ACLs are not recursive, so this does not impact
| operations on child nodes besides notifications from recursive
| watches.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58457
https://www.cve.org/CVERecord?id=CVE-2025-58457
[1] https://issues.apache.org/jira/browse/ZOOKEEPER-4964
[2] https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list