CVE-2026-24281: 
Java 취약성 분석 및 완화

CVE-2026-24281 is a hostname verification bypass vulnerability in Apache ZooKeeper's ZKTrustManager component, caused by an improper fallback to reverse DNS (PTR) lookups when IP Subject Alternative Name (SAN) validation fails. It affects Apache ZooKeeper versions 3.8.0 through 3.8.5 and 3.9.0 through 3.9.4. The vulnerability was reported by Nikita Markevich, disclosed publicly on March 7, 2026 via the oss-security mailing list, and tracked internally as ZOOKEEPER-4986. It carries a CVSS v3.1 base score of 7.4 (High) (Apache oss-security, Feedly).

The root cause is classified under CWE-295 (Improper Certificate Validation) and CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action). When ZKTrustManager performs TLS hostname verification and IP SAN validation fails, it falls back to performing a reverse DNS (PTR) lookup on the connecting IP address and validates the resulting hostname against the certificate's Common Name or DNS SAN. An attacker who controls or can spoof PTR records can present a certificate that is trusted by ZKTrustManager and whose subject matches the spoofed PTR hostname, thereby impersonating a legitimate ZooKeeper server or client. The attack requires the attacker to possess or forge a certificate trusted by the target's trust store, which significantly raises the exploitation bar (Apache oss-security).

Successful exploitation enables a man-in-the-middle (MitM) attack on ZooKeeper communication channels, allowing an attacker to impersonate ZooKeeper servers or clients. This could result in unauthorized access to ZooKeeper cluster data (high confidentiality impact), manipulation of cluster state or configuration (high integrity impact), and potential disruption of distributed applications that depend on ZooKeeper for coordination. Availability is not directly impacted by the vulnerability itself. Downstream IBM products including IBM Operational Decision Manager, IBM Db2 on Cloud Pak for Data, and IBM Storage Scale are also affected (Feedly, Apache oss-security).

1. Reconnaissance: Identify target ZooKeeper deployments running versions 3.8.0–3.8.5 or 3.9.0–3.9.4 with TLS/SSL enabled on client or quorum ports (default: 2181, 2281, 3888).
2. Obtain a trusted certificate: Acquire or forge a certificate that is trusted by the target ZooKeeper's trust store (e.g., issued by a CA whose certificate is in the ZooKeeper truststore), with a subject CN or DNS SAN matching the hostname the attacker intends to spoof.
3. Control or spoof PTR records: Gain control of the reverse DNS zone for the attacker's IP address (e.g., via DNS cache poisoning, BGP hijacking, or control of the DNS infrastructure) and configure a PTR record that resolves to a hostname matching the attacker's certificate subject.
4. Position for MitM: Place the attacker-controlled host in a network position to intercept TLS connections between ZooKeeper clients and servers (e.g., via ARP spoofing, BGP hijacking, or rogue network device).
5. Present the forged identity: When a ZooKeeper peer or client connects, the attacker's TLS endpoint presents the trusted certificate. ZKTrustManager fails IP SAN validation, falls back to PTR lookup, resolves the attacker's IP to the spoofed hostname, and accepts the certificate as valid.
6. Achieve MitM: The attacker can now intercept, read, or modify ZooKeeper protocol traffic, access cluster data, or inject malicious state changes (Apache oss-security).

• Network: Unexpected PTR (reverse DNS) lookup traffic originating from ZooKeeper server processes; TLS connections to ZooKeeper ports (2181, 2281, 3888) from IP addresses whose PTR records resolve to legitimate ZooKeeper hostnames but do not match expected forward DNS entries.
• Logs: ZooKeeper logs showing TLS handshake completions with peers whose IP addresses do not match expected cluster member IPs; certificate subject names in ZooKeeper SSL debug logs that differ from expected peer hostnames.
• Network: Anomalous DNS PTR query responses for ZooKeeper server IPs returning unexpected hostnames; DNS responses with unusually short TTLs for PTR records associated with ZooKeeper cluster IPs.
• Process: ZooKeeper JVM processes making unexpected outbound DNS resolution calls during connection establishment phases.

Users should upgrade Apache ZooKeeper to version 3.8.6 (for the 3.8.x branch) or 3.9.5 (for the 3.9.x branch), which fix the issue by introducing a new configuration option to explicitly disable reverse DNS lookup in client and quorum protocols. After upgrading, administrators should enable this new configuration option to prevent PTR fallback. As an interim measure, network segmentation and strict DNS infrastructure controls (e.g., DNSSEC, restricting PTR record modification) can reduce the risk of PTR spoofing. IBM has released patches for affected downstream products: IBM Operational Decision Manager (April 2026), IBM Db2 on Cloud Pak for Data, and IBM Storage Scale (fixed in 5.2.3.8 and 6.0.1.0 or higher) (Apache oss-security, IBM ODM Advisory, IBM Storage Scale).

The vulnerability received coverage from several cybersecurity news outlets including GBHackers, CyberPress, CyberSecurityNews, and SecurityOnline, generally characterizing it as a significant but difficult-to-exploit flaw in ZooKeeper's TLS implementation. SmarterMSP published a threat advisory recommending immediate patching. The Apache Software Foundation disclosed the issue via the oss-security mailing list with a severity rating of "important." Social media activity on Bluesky noted the disclosure. Overall community sentiment reflects moderate concern given the high attack complexity and the requirement for a trusted certificate, with no reports of active exploitation (Apache oss-security).