接到同事反馈,生产环境扫描出Eclipse Jetty 资源管理错误漏洞(CVE-2021-28165)漏洞需要修复,但是看了一下生产环境并没有安装Jetty ,后面经过检查发现是由于zookeeper原因导致,解决方法如下:
1.如不需要使用zookeeper的管理控制台,建议禁用
zookeeper的管理控制台是由jetty启动的,默认为http,存在一定的信息泄露及安全隐患。
2.修改zkServer.sh文件
vim /usr/local/zookeeper/bin/zkServer.sh
修改前:
start)
echo -n "Starting zookeeper ... "
if [ -f "$ZOOPIDFILE" ]; then
if kill -0 `cat "$ZOOPIDFILE"` > /dev/null 2>&1; then
echo $command already running as process `cat "$ZOOPIDFILE"`.
exit 1
fi
fi
nohup "$JAVA" $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
"-Dzookeeper.log.file=${ZOO_LOG_FILE}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
修改后:
start)
echo -n "Starting zookeeper ... "
if [ -f "$ZOOPIDFILE" ]; then
if kill -0 `cat "$ZOOPIDFILE"` > /dev/null 2>&1; then
echo $command already running as process `cat "$ZOOPIDFILE"`.
exit 1
fi
fi
nohup "$JAVA" $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
"-Dzookeeper.log.file=${ZOO_LOG_FILE}" "-Dzookeeper.admin.enableServer=false" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
即在nohup这一行,添加了
"-Dzookeeper.admin.enableServer=false"
添加完成后重启zookeeper
service zookeeper stop
service zookeeper start
至此问题解决。
