Description
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
Published: 2026-03-07
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Impersonation
Action: Immediate Patch
AI Analysis

Impact

Hostname verification in Apache ZooKeeper’s ZKTrustManager falls back to using reverse DNS (PTR) records when subject alternative name validation of an IP fails. This flaw allows an attacker who controls or can spoof PTR entries to make a server or client appear to present a valid certificate for the PTR name. The result is that malicious components can impersonate legitimate ZooKeeper peers, gaining unauthorized access and potentially authenticating as trusted nodes. The weakness is related to improper validation of hostnames (CWE-295) and failure to properly verify cryptographic parameters (CWE-350).

Affected Systems

The vulnerability affects Apache ZooKeeper versions that use the default configuration of ZKTrustManager. Users should verify the installed package is prior to 3.8.6 or 3.9.5. Upgrading to version 3.8.6 or 3.9.5, which introduce a configuration option to disable reverse DNS lookup in client and quorum protocols, eliminates the risk. The vendor is the Apache Software Foundation.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate impact if exploited. However, the EPSS score of less than 1% reflects a very low probability of real-world exploitation. Exploitation requires the attacker to possess a certificate trusted by the ZooKeeper trust manager and to control PTR records pointing to this certificate. The vulnerability is not listed in CISA’s KEV, so no widespread exploitation reports are known. The risk remains lower than major threats but sufficient to justify immediate patching if the environment uses a vulnerable ZooKeeper version.

Generated by OpenCVE AI on April 17, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache ZooKeeper to version 3.8.6 or 3.9.5
  • Configure the server and clients to disable reverse DNS lookups by setting the reverseDnsLookupEnabled option to false in the ZKTrustManager configuration
  • Verify that no reverse DNS (PTR) records are pointing to ZooKeeper servers or clients and coordinate with DNS administrators to remove or secure any such records

Generated by OpenCVE AI on April 17, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7xrh-hqfc-g7qr Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager
History

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 10 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N'}

threat_severity

Moderate

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache zookeeper
Vendors & Products Apache
Apache zookeeper

Sat, 07 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
References

Sat, 07 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
Title Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager
Weaknesses CWE-295
CWE-350
References

Subscriptions

Apache Zookeeper
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-10T17:37:28.087Z

Reserved: 2026-01-21T19:40:25.776Z

Link: CVE-2026-24281

cve-icon Vulnrichment

Updated: 2026-03-07T17:05:10.486Z

cve-icon NVD

Status : Modified

Published: 2026-03-07T09:16:07.437

Modified: 2026-03-10T18:18:17.727

Link: CVE-2026-24281

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-07T08:50:32Z

Links: CVE-2026-24281 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses