Apache ZooKeeper Vulnerability Allow Attackers to Access Sensitive Data
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Two \u201cImportant\u201d severity vulnerabilities have been disclosed in Apache ZooKeeper, a widely used service for configuration management and naming in distributed applications, making timely security updates critical.<\/p>\n
These newly discovered flaws could allow attackers to access sensitive configuration data or bypass hostname verification<\/a> to impersonate trusted servers. Both vulnerabilities affect ZooKeeper versions 3.8. x and 3.9. x branches.<\/p>\n The first vulnerability, tracked as CVE-2026-24308, involves the disclosure of sensitive information.<\/p>\n Discovered by researcher Youlong Chen, this flaw occurs due to the improper handling of configuration values<\/a> in the\u00a0ZKConfig\u00a0component.<\/p>\n When a client connects, sensitive configuration data is accidentally printed to the client\u2019s log file at the default INFO logging level.<\/p>\n This means any unauthorized user or attacker with access to the system\u2019s log files could quietly steal sensitive production data <\/a>without triggering alarms.<\/p>\n The second issue, tracked as CVE-2026-24281 (and internally as ZOOKEEPER-4986), is a hostname verification bypass discovered by Nikita Markevich.<\/p>\n In the\u00a0ZKTrustManager\u00a0component, if IP Subject Alternative Name (SAN) validation fails, the system automatically falls back to a reverse DNS (PTR) lookup.<\/a><\/p>\n An attacker who controls or spoofs PTR records can exploit this behavior to impersonate valid ZooKeeper servers or clients.<\/p>\n While the attacker must still present a certificate trusted by\u00a0ZKTrustManager, which makes this harder to exploit, a successful attack completely undermines the system\u2019s trust model.<\/p>\n To protect infrastructure from these threats, Apache highly recommends that administrators<\/a> immediately upgrade their ZooKeeper installations to the patched versions.<\/p>\n The official fixes are available in\u00a0Apache ZooKeeper versions 3.8.6\u00a0and\u00a03.9.5. Applying these updates resolves the logging exposure flaw, ensuring that\u00a0ZKConfig\u00a0no longer leaks sensitive values into local files.<\/p>\n Furthermore, the updates fix the hostname bypass issue by introducing a new configuration option that turns off reverse DNS lookups for both the client and quorum protocols.<\/p>\n In addition to patching, security teams should actively review their logging environments to ensure no historically sensitive data remains exposed in older, archived log files.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Apache ZooKeeper Vulnerability Allow Attackers to Access Sensitive Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nApache ZooKeeper Vulnerability<\/strong><\/h2>\n