CVE-2023-44981: Apache ZooKeeper Auth Bypass Vulnerability

CVE-2023-44981 Overview

CVE-2023-44981 is an authorization bypass vulnerability in Apache ZooKeeper's SASL Quorum Peer authentication mechanism. When quorum.auth.enableSasl=true is configured, the server performs authorization by matching the instance portion of the SASL authentication ID against the entries listed in zoo.cfg. Because the instance portion is optional, an authentication identity formatted as eve@EXAMPLE.COM causes the authorization check to be skipped entirely. An attacker can join the ensemble as a quorum peer and propagate forged changes to the leader, obtaining full read-write access to the data tree. Quorum Peer authentication is not enabled by default, which reduces the exposed population.

Critical Impact

An unauthenticated network attacker can join a ZooKeeper quorum and gain complete read-write control over the cluster data tree.

Affected Products

• Apache ZooKeeper versions prior to 3.7.2
• Apache ZooKeeper 3.8.x prior to 3.8.3 and 3.9.0
• Debian Linux 10, 11, and 12 distributions shipping affected ZooKeeper packages

Discovery Timeline

• 2023-10-11 - CVE-2023-44981 published to NVD
• 2025-04-23 - Last updated in NVD database

Technical Details for CVE-2023-44981

Vulnerability Analysis

Apache ZooKeeper coordinates distributed systems through an ensemble of quorum peers that elect a leader and replicate state. To prevent rogue nodes from joining the ensemble, ZooKeeper supports Simple Authentication and Security Layer (SASL) authentication between quorum peers. The authorization step compares the SASL identity against the configured server list in zoo.cfg.

The flaw classified under [CWE-639] resides in how ZooKeeper parses SASL authentication IDs. A SASL identity typically follows the Kerberos pattern primary/instance@REALM, where the instance component is optional. When the instance component is absent, the code path skips the membership check rather than rejecting the identity. An attacker who can reach the quorum communication port can present an arbitrary principal such as eve@EXAMPLE.COM and successfully join as a peer.

Once admitted, the rogue peer participates in leader election and state replication. It can submit znode writes that the legitimate leader accepts and propagates to clients, undermining the integrity guarantees that distributed services such as Kafka, HBase, and SolrCloud rely on.

Root Cause

The root cause is an authorization logic error in the quorum peer SASL handler. The code treats a missing instance component as a non-error condition and bypasses the server list lookup. The check should fail closed and reject any identity that cannot be unambiguously mapped to a configured ensemble member.

Attack Vector

Exploitation requires network access to the quorum election and communication ports, typically 2888 and 3888. The attacker must know that SASL Quorum Peer authentication is enabled and supply a valid Kerberos ticket for any principal within the trusted realm. No prior privileges within the cluster, no user interaction, and no local access are required. Confidentiality and integrity are both at high risk because the attacker reads and modifies the entire data tree.

No verified public proof-of-concept code is available. The vulnerability mechanism is described in the Apache Thread Discussion and the OpenWall OSS Security Post.

Detection Methods for CVE-2023-44981

Indicators of Compromise

• Unexpected quorum peer join events in ZooKeeper transaction logs referencing principals without an instance component.
• New or unrecognized IP addresses establishing sessions on quorum ports 2888 and 3888.
• Unexplained leader election cycles or epoch increments not correlated with planned operations.
• Znode modifications attributed to peers that are not part of the documented ensemble inventory.

Detection Strategies

• Audit ZooKeeper authentication logs for SASL identities missing the /instance segment.
• Correlate quorum membership changes with change management records to surface unauthorized peers.
• Run version inventory queries to identify Apache ZooKeeper instances older than 3.7.2, 3.8.3, or 3.9.1.
• Monitor for outbound connections from non-ensemble hosts to quorum ports as a signal of attempted peer registration.

Monitoring Recommendations

• Forward ZooKeeper server logs and audit logs to a centralized logging platform for retention and search.
• Alert on first-seen source IP addresses connecting to ports 2888 and 3888.
• Track ensemble configuration drift against an approved baseline of server entries in zoo.cfg.

How to Mitigate CVE-2023-44981

Immediate Actions Required

• Upgrade Apache ZooKeeper to version 3.9.1, 3.8.3, or 3.7.2 as appropriate for your branch.
• Apply Debian package updates referenced in Debian Security Advisory DSA-5544 and the Debian LTS Announcement.
• Restrict quorum communication ports to ensemble members only using host or network firewalls.
• Review Kerberos principal naming conventions and ensure every authorized peer uses an instance component.

Patch Information

The Apache ZooKeeper project released fixed versions 3.7.2, 3.8.3, and 3.9.1 that enforce the instance component check during quorum peer authorization. NetApp products bundling ZooKeeper received corresponding updates documented in the NetApp Security Advisory.

Workarounds

• Place the ZooKeeper ensemble behind a firewall that permits quorum traffic only between known ensemble member IP addresses.
• Disable SASL Quorum Peer authentication and rely on network segmentation if patching is not immediately possible, since quorum.auth.enableSasl is not enabled by default.
• Use mutual TLS for quorum communication as an additional control layer where supported.

# Restrict ZooKeeper quorum ports to ensemble members using iptables
iptables -A INPUT -p tcp --dport 2888 -s <ensemble_member_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 3888 -s <ensemble_member_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 2888 -j DROP
iptables -A INPUT -p tcp --dport 3888 -j DROP