Apache ZooKeeper: Attackers can impersonate servers with fake certificate

Summary

Apache ZooKeeper versions 3.8.5 and earlier allow attackers to impersonate servers if they control the reverse DNS (PTR) records. This can be exploited by attackers who have a certificate that is trusted by ZooKeeper. To fix this, upgrade to version 3.8.6 or 3.9.5, and consider disabling reverse DNS lookup in your ZooKeeper configuration.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
canonical	zookeeper	All versions	–
canonical	zookeeper	All versions	–
canonical	zookeeper	All versions	–
canonical	zookeeper	All versions	–
canonical	zookeeper	All versions	–
canonical	zookeeper	All versions	–
canonical	zookeeper	All versions	–

Original title

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper s...

Original description

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

https://ubuntu.com/security/CVE-2026-24281 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2026-24281 Third Party Advisory
https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2 Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/07/4 Third Party Advisory