Apache ZooKeeper, a centralized service used for maintaining configuration information and naming in distributed systems, has received critical security updates.
The Apache Software Foundation recently addressed two “Important” severity vulnerabilities that could expose sensitive data and allow server impersonation in production environments.
Configuration and Hostname Verification Flaws
The first vulnerability, identified as CVE-2026-24308, involves sensitive information disclosure caused by improper configuration handling.
Within the ZKConfig component, the system mistakenly logs configuration values at the INFO level.
As a result, sensitive credentials and system settings are written directly into the client’s logfile in plain text.
Because INFO-level logging is frequently enabled by default in production systems, this flaw presents a substantial risk of data exposure to any user or attacker with log access.
Security researcher Youlong Chen was credited with discovering and reporting this vulnerability.
The second vulnerability, CVE-2026-24281, is a hostname verification bypass within the ZKTrustManager.
When standard IP Subject Alternative Name (SAN) validation fails, the system automatically falls back to a reverse DNS (PTR) lookup.
Attackers who can control or spoof these PTR records can manipulate this fallback mechanism to impersonate valid ZooKeeper servers or clients.
To successfully exploit this, an attacker must present a digital certificate that is trusted by the ZKTrustManager.
While this prerequisite makes the attack more complex, the risk remains significant for targeted networks. Nikita Markevich reported this flaw, which is tracked internally as ZOOKEEPER-4986.
| CVE ID | Severity | Description | Affected Versions |
|---|---|---|---|
| CVE-2026-24308 | Important | Sensitive information disclosure in client configuration logs via ZKConfig at INFO level. | 3.8.0 – 3.8.5 3.9.0 – 3.9.4 |
| CVE-2026-24281 | Important | Hostname verification bypass via reverse-DNS fallback in ZKTrustManager. | 3.8.0 – 3.8.5 3.9.0 – 3.9.4 |
Both vulnerabilities impact the same software versions, specifically the 3.8.x branch up to 3.8.5 and the 3.9.x branch up to 3.9.4.
To protect distributed infrastructure, administrators must apply the provided software updates immediately.
The Apache Security team advises all users to upgrade their ZooKeeper deployments to version 3.8.6 or 3.9.5, which resolve both security issues.
Applying these updates introduces critical architectural fixes. For the logging vulnerability, the update prevents sensitive configuration data from flowing into standard operational logs.
For the hostname bypass flaw, the patched versions introduce a new configuration option designed to disable reverse DNS lookups entirely across client and quorum protocols.
By removing the PTR fallback mechanism, the update permanently eliminates the spoofing vector.
Additionally, security teams should actively audit past INFO-level logs to ensure no credentials were leaked prior to patching.
Administrators are advised to rotate any exposed passwords or authentication keys discovered in previous log files to maintain complete system security.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
