CVE-2026-24281: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-24281 is a hostname verification bypass vulnerability in Apache ZooKeeper's ZKTrustManager component, caused by an improper fallback to reverse DNS (PTR) lookups when IP Subject Alternative Name (SAN) validation fails. It affects Apache ZooKeeper versions 3.8.0 through 3.8.5 and 3.9.0 through 3.9.4. The vulnerability was reported by Nikita Markevich, disclosed publicly on March 7, 2026 via the oss-security mailing list, and tracked internally as ZOOKEEPER-4986. It carries a CVSS v3.1 base score of 7.4 (High) (Apache oss-security, Feedly).

The root cause is classified under CWE-295 (Improper Certificate Validation) and CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action). When ZKTrustManager performs TLS hostname verification and IP SAN validation fails, it falls back to performing a reverse DNS (PTR) lookup on the connecting IP address and validates the resulting hostname against the certificate's Common Name or DNS SAN. An attacker who controls or can spoof PTR records can present a certificate that is trusted by ZKTrustManager and whose subject matches the spoofed PTR hostname, thereby impersonating a legitimate ZooKeeper server or client. The attack requires the attacker to possess or forge a certificate trusted by the target's trust store, which significantly raises the exploitation bar (Apache oss-security).

Successful exploitation enables a man-in-the-middle (MitM) attack on ZooKeeper communication channels, allowing an attacker to impersonate ZooKeeper servers or clients. This could result in unauthorized access to ZooKeeper cluster data (high confidentiality impact), manipulation of cluster state or configuration (high integrity impact), and potential disruption of distributed applications that depend on ZooKeeper for coordination. Availability is not directly impacted by the vulnerability itself. Downstream IBM products including IBM Operational Decision Manager, IBM Db2 on Cloud Pak for Data, and IBM Storage Scale are also affected (Feedly, Apache oss-security).

Users should upgrade Apache ZooKeeper to version 3.8.6 (for the 3.8.x branch) or 3.9.5 (for the 3.9.x branch), which fix the issue by introducing a new configuration option to explicitly disable reverse DNS lookup in client and quorum protocols. After upgrading, administrators should enable this new configuration option to prevent PTR fallback. As an interim measure, network segmentation and strict DNS infrastructure controls (e.g., DNSSEC, restricting PTR record modification) can reduce the risk of PTR spoofing. IBM has released patches for affected downstream products: IBM Operational Decision Manager (April 2026), IBM Db2 on Cloud Pak for Data, and IBM Storage Scale (fixed in 5.2.3.8 and 6.0.1.0 or higher) (Apache oss-security, IBM ODM Advisory, IBM Storage Scale).

The vulnerability received coverage from several cybersecurity news outlets including GBHackers, CyberPress, CyberSecurityNews, and SecurityOnline, generally characterizing it as a significant but difficult-to-exploit flaw in ZooKeeper's TLS implementation. SmarterMSP published a threat advisory recommending immediate patching. The Apache Software Foundation disclosed the issue via the oss-security mailing list with a severity rating of "important." Social media activity on Bluesky noted the disclosure. Overall community sentiment reflects moderate concern given the high attack complexity and the requirement for a trusted certificate, with no reports of active exploitation (Apache oss-security).