CVE-2024-51504: 
Java vulnerability analysis and mitigation

A significant authentication bypass vulnerability (CVE-2024-51504) was discovered in Apache ZooKeeper's Admin Server, specifically affecting version 3.9.0. The vulnerability was identified by security researchers 4ra1n and Y4tacker, and it impacts the IP-based authentication mechanism implemented in the ZooKeeper Admin Server (SecurityOnline, OpenWall).

The vulnerability exists in the IPAuthenticationProvider component of ZooKeeper Admin Server. The default configuration uses HTTP request headers for client IP address detection, specifically honoring the X-Forwarded-For header. This implementation is considered weak as the X-Forwarded-For header, typically used by proxy servers to identify clients, can be easily manipulated by attackers to spoof their IP address (OpenWall). The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (NVD).

Upon successful exploitation, attackers can gain unauthorized access to critical Admin Server commands, including snapshot and restore operations. This access could potentially lead to information leakage and service availability issues, compromising the integrity of ZooKeeper's configuration and backup processes (SecurityOnline).

Users are strongly recommended to upgrade to Apache ZooKeeper version 3.9.3, which contains the fix for this vulnerability. No effective workarounds have been identified, making the upgrade the only reliable solution (ASEC).