Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager
Summary
| CVE | CVE-2026-24281 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-07 09:16:07 UTC |
| Updated | 2026-07-03 13:17:00 UTC |
| Description | Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols. |
Risk And Classification
Primary CVSS: v3.1 7.4 HIGH from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Problem Types: CWE-295 | CWE-350 | CWE-350 CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action | CWE-295 CWE-295 Improper Certificate Validation | CWE-295 Improper Certificate Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | ADP | DECLARED | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | ADP | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:14276 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8509 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-24281 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10184 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2 | [email protected] | lists.apache.org | Mailing List, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:34608 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24281.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14272 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| www.openwall.com/lists/oss-security/2026/03/07/4 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Nikita Markevich <[email protected]> (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-07T09:00:57.868Z | Reported to Red Hat. |
| ADP | 2026-03-07T08:50:32.525Z | Made public. |
Solutions
ADP: RHSA-2026:14276: Red Hat AMQ Broker 7.12.7
ADP: RHSA-2026:14272: Red Hat AMQ Broker 7.13.5
ADP: RHSA-2026:8509: Red Hat AMQ Broker 7.14.0
ADP: RHSA-2026:10184: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:34608: Streams for Apache Kafka 2.9.4
Workarounds
ADP: To mitigate this issue, disable reverse DNS lookup in Apache ZooKeeper's client and quorum protocols. This can be achieved by configuring the `zookeeper.ssl.hostnameVerification.disableReverseDns` property to `true`. This configuration option is available in Apache ZooKeeper versions 3.8.6 and 3.9.5 and later. A restart of the ZooKeeper service will be required for the change to take effect.