CVE-2024-23944 Overview
CVE-2024-23944 is an information disclosure vulnerability in Apache ZooKeeper's persistent watchers handling mechanism. The vulnerability stems from a missing Access Control List (ACL) check when persistent watchers are triggered, allowing an attacker with access to a parent znode to monitor child znodes they shouldn't have visibility into.
When an attacker attaches a persistent watcher using the addWatch command to a parent znode they already have access to, the ZooKeeper server fails to perform ACL validation when the watcher is triggered. As a result, the full path of znodes that trigger watch events is exposed to the watcher owner, even if they lack permission to access those child znodes directly.
Critical Impact
While this vulnerability does not expose znode data directly, the disclosed znode paths can contain sensitive information such as usernames, login IDs, or other identifying data embedded in the path structure, making this a potentially critical information disclosure issue.
Affected Products
- Apache ZooKeeper versions prior to 3.9.2
- Apache ZooKeeper versions prior to 3.8.4
Discovery Timeline
- 2024-03-15 - CVE-2024-23944 published to NVD
- 2025-07-03 - Last updated in NVD database
Technical Details for CVE-2024-23944
Vulnerability Analysis
This vulnerability (CWE-862: Missing Authorization) occurs in Apache ZooKeeper's persistent watcher implementation. ZooKeeper uses Access Control Lists (ACLs) to manage permissions for znodes, the fundamental data units in its hierarchical namespace. Persistent watchers, introduced to allow clients to receive notifications about changes to znodes, should respect these ACL boundaries.
The security flaw manifests when a user with legitimate access to a parent znode creates a persistent watcher on that node. When child znodes are created, modified, or deleted, the watcher receives event notifications containing the full path of the affected znode. The authorization check that should verify the watcher owner's access to each child znode is missing, creating an information disclosure channel.
Root Cause
The root cause of CVE-2024-23944 is the absence of ACL validation in the persistent watcher notification pathway. When watch events are triggered by changes to child znodes, the ZooKeeper server dispatches notifications to registered watchers without verifying that the watcher owner has the necessary permissions to access the child znode information. This authorization gap violates the principle of least privilege and circumvents the intended access control model.
Attack Vector
An attacker exploiting this vulnerability requires local access and must first obtain legitimate access to a parent znode in the ZooKeeper hierarchy. The attack proceeds as follows:
- The attacker authenticates to the ZooKeeper ensemble with credentials that grant access to a parent znode
- Using the addWatch command, the attacker registers a persistent watcher on the accessible parent znode
- When other users or applications create, modify, or delete child znodes beneath the watched parent, the attacker receives watch events
- These events contain the full paths of affected child znodes, regardless of the attacker's ACL permissions on those children
- The attacker harvests sensitive information embedded in znode paths, such as usernames, session identifiers, or application-specific data
The vulnerability requires the attacker to have some level of authenticated access to the ZooKeeper system, limiting exposure compared to unauthenticated attacks.
Detection Methods for CVE-2024-23944
Indicators of Compromise
- Unusual addWatch command activity on parent znodes, particularly from accounts with limited permissions
- Watch registrations on high-level znodes that contain sensitive child paths
- Patterns of persistent watcher creation followed by passive monitoring behavior
- Accounts that register watchers but rarely perform other ZooKeeper operations
Detection Strategies
- Audit ZooKeeper client connections and monitor for addWatch commands targeting sensitive namespace areas
- Review authentication logs to identify accounts with minimal permissions registering persistent watchers
- Implement alerting for watcher registrations on znodes containing user-specific or sensitive data paths
- Compare watcher registration patterns against expected application behavior
Monitoring Recommendations
- Enable detailed ZooKeeper audit logging to capture all addWatch operations with client identity information
- Monitor for anomalous watcher registration patterns that may indicate reconnaissance activity
- Establish baselines for normal watcher usage and alert on deviations
- Regularly review ACL configurations to minimize exposure of sensitive path information
How to Mitigate CVE-2024-23944
Immediate Actions Required
- Upgrade Apache ZooKeeper to version 3.9.2 or 3.8.4 which contain the fix for this vulnerability
- Audit existing znode paths to identify those containing sensitive information
- Review ACL configurations and restrict access to parent znodes where possible
- Consider restructuring znode hierarchies to avoid embedding sensitive data in paths
Patch Information
Apache has released patched versions that address this vulnerability. Users should upgrade to Apache ZooKeeper version 3.9.2 or 3.8.4 depending on their version branch. The fix ensures proper ACL checks are performed when persistent watcher notifications are triggered.
For detailed information about the security fix, refer to the Apache Mailing List Thread and the OpenWall OSS-Security Post.
Workarounds
- Restrict authentication and limit the number of accounts with access to parent znodes
- Redesign znode path structures to avoid including sensitive identifiers like usernames or login IDs
- Implement network-level segmentation to limit which clients can connect to ZooKeeper
- Use ZooKeeper's SASL authentication to ensure all connections are properly authenticated and auditable
- Monitor and alert on persistent watcher creation as an interim detection measure
# Verify ZooKeeper version and upgrade if necessary
echo "stat" | nc localhost 2181 | grep "Zookeeper version"
# If running vulnerable version, upgrade to patched version
# For version 3.8.x branch:
# Upgrade to 3.8.4
# For version 3.9.x branch:
# Upgrade to 3.9.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
