High severity7.5NVD Advisory· Published Oct 10, 2017· Updated May 13, 2026
CVE-2017-5637
CVE-2017-5637
Description
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zookeeper:zookeeperMaven | >= 3.4.0, < 3.4.10 | 3.4.10 |
org.apache.zookeeper:zookeeperMaven | >= 3.5.0, < 3.5.3 | 3.5.3 |
Affected products
15cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- Apache Software Foundation/Apache ZooKeeperv5Range: 3.4.0 to 3.4.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- www.debian.org/security/2017/dsa-3871nvdThird Party AdvisoryWEB
- www.securityfocus.com/bid/98814nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-7cwj-j333-x7f7ghsaADVISORY
- issues.apache.org/jira/browse/ZOOKEEPER-2693nvdIssue TrackingMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-5637ghsaADVISORY
- access.redhat.com/errata/RHSA-2017:2477nvdWEB
- access.redhat.com/errata/RHSA-2017:3354nvdWEB
- access.redhat.com/errata/RHSA-2017:3355nvdWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3EghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlnvdWEB
- www.oracle.com/security-alerts/cpujul2020.htmlnvdWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Envd
- lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3Envd
- lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3Envd
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Envd
News mentions
0No linked articles in our index yet.