CVE-2023-44981: 
Java vulnerability analysis and mitigation

Authorization Bypass Through User-Controlled Key vulnerability was discovered in Apache ZooKeeper (CVE-2023-44981). The vulnerability affects Apache ZooKeeper versions 3.9.0, 3.8.0 through 3.8.2, 3.7.0 through 3.7.1, and versions before 3.7.0. The issue was discovered and disclosed on October 11, 2023, by Damien Diederen (OSS Security).

The vulnerability occurs when SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true). The authorization process verifies that the instance part in SASL authentication ID is listed in the zoo.cfg server list. However, the instance part in SASL auth ID is optional, and if it's missing (like 'eve@EXAMPLE.COM'), the authorization check is completely bypassed. The vulnerability has received a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD Database).

When successfully exploited, an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. This could lead to unauthorized access and potential manipulation of sensitive data within the ZooKeeper cluster (OSS Security).

Users are recommended to upgrade to version 3.9.1, 3.8.3, or 3.7.2, which fixes the issue. As an alternative mitigation, users can ensure the ensemble election/quorum communication is protected by a firewall. This will help mitigate the issue by preventing unauthorized access to the cluster (OSS Security, Debian Security).

Multiple vendors have responded to this vulnerability by releasing security updates. Debian released security advisory DSA-5544-1 to address this vulnerability in their distributions. Red Hat has included fixes for this vulnerability in their AMQ Streams 2.6.0 release (Debian Security, Red Hat Advisory).