CVE-2018-8012
Description
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authentication in ZooKeeper quorum joining allows unauthenticated endpoints to join and propagate counterfeit changes.
Vulnerability
Apache ZooKeeper before version 3.4.10, and versions 3.5.0-alpha through 3.5.3-beta, do not enforce authentication or authorization when a server attempts to join a quorum. This allows an arbitrary endpoint to join the cluster by simply connecting to the quorum port [1].
Exploitation
An attacker with network access to the ZooKeeper ensemble can initiate a quorum join request. No prior authentication, credentials, or special privileges are required. The attacker sends a crafted join request to become part of the quorum [1].
Impact
Once joined, the attacker can propagate counterfeit changes to the leader, potentially corrupting the cluster state, causing data inconsistencies, or leading to a denial of service. This can compromise the integrity and availability of the ZooKeeper service [1].
Mitigation
Upgrade to ZooKeeper 3.4.10 or later, or 3.5.3-beta or later. If an immediate upgrade is not possible, restrict network access to the quorum ports (default 2888 and 3888) using firewalls to limit exposure to trusted networks only [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zookeeper:zookeeperMaven | < 3.4.10 | 3.4.10 |
org.apache.zookeeper:zookeeperMaven | >= 3.5.0-alpha, < 3.5.4-beta | 3.5.4-beta |
Affected products
2- Apache Software Foundation/Apache ZooKeeperv5Range: Apache ZooKeeper prior to 3.4.10, Apache ZooKeeper 3.5.0-alpha through 3.5.3-beta
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
22- github.com/advisories/GHSA-ccqf-c5hq-77mpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8012ghsaADVISORY
- www.debian.org/security/2018/dsa-4214ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securityfocus.com/bid/104253ghsavdb-entryx_refsource_BIDWEB
- www.securitytracker.com/id/1040948ghsavdb-entryx_refsource_SECTRACKWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393%40%3Cdev.zookeeper.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f%40%3Coak-commits.jackrabbit.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f@%3Coak-commits.jackrabbit.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14%40%3Cdev.jackrabbit.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14@%3Cdev.jackrabbit.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870%40%3Cdev.jackrabbit.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870@%3Cdev.jackrabbit.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2%40%3Cdev.jackrabbit.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2@%3Cdev.jackrabbit.apache.org%3EghsaWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.