A critical authentication bypass vulnerability in LY Central Dogma allows unauthenticated attackers to gain full control over the ZooKeeper ensemble and the cluster replication log.

This is a hard-coded credential vulnerability where the server defaults to a known secret for ZooKeeper replication. An unauthenticated attacker with network access can leverage this to join the cluster quorum or read sensitive replication logs.

The exploitation of this flaw carries a high risk of total system compromise, including unauthorized data access and the execution of arbitrary commands across the cluster. Given the CVSS score of 9.4, this vulnerability represents a critical threat to data integrity, confidentiality, and operational availability.

Immediate Action: Upgrade all instances of LY Central Dogma to version 0.84.0 or higher to ensure the ZooKeeper replication secret is properly enforced.

Proactive Monitoring: Monitor network traffic for unauthorized attempts to connect to the ZooKeeper ensemble and audit cluster logs for unexpected join requests or administrative command execution.

Compensating Controls: Implement strict network segmentation and firewall rules to restrict access to the ZooKeeper port to only authorized, trusted internal service nodes.

Public Exploit Available: Unknown

This vulnerability presents a severe risk to cluster security. System administrators must prioritize the update to version 0.84.0 immediately. If an immediate patch is not feasible, ensure the ZooKeeper ensemble is isolated from all untrusted network segments to prevent exploitation of the hard-coded credential.