Apache Software Foundation: Apache ZooKeeper Vulnerability Allows Attackers to Access Sensitive Data

Apache ZooKeeper Patches Critical Flaws Exposing Sensitive Data and Enabling Server Spoofing

The Apache Software Foundation (ASF) has released urgent security patches for Apache ZooKeeper, addressing two high-severity vulnerabilities that could lead to sensitive data exposure and server impersonation attacks in distributed systems.

The first flaw, CVE-2026-24308, stems from improper log sanitization in the ZKConfig component, which inadvertently logs configuration values including credentials and environment settings in plain text at the INFO level. Since INFO logging is enabled by default in production, attackers with access to logs could extract confidential data. Security researcher Youlong Chen disclosed the issue, which affects ZooKeeper versions 3.8.0–3.8.5 and 3.9.0–3.9.4.

The second vulnerability, CVE-2026-24281, involves a hostname verification bypass in the ZKTrustManager. When standard IP-based Subject Alternative Name (SAN) checks fail, ZooKeeper falls back to reverse DNS (PTR) lookups, allowing attackers to spoof legitimate servers by manipulating PTR records. While exploitation requires a trusted digital certificate, the flaw poses a significant risk in secure environments. Nikita Markevich reported the issue, tracked internally as ZOOKEEPER-4986.

ASF has released patched versions (3.8.6 and 3.9.5), which fix the logging issue by preventing credential exposure and introduce a configuration option to disable reverse DNS lookups. Administrators are advised to upgrade immediately and audit logs for exposed credentials.

Source: https://cyberpress.org/apache-zookeeper-vulnerability/

The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation

"id": "THE1773066267",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology/Software',
                        'name': 'Apache Software Foundation',
                        'type': 'Open-Source Software Foundation'}],
 'attack_vector': ['Log Exploitation', 'DNS Manipulation'],
 'customer_advisories': 'Administrators are advised to upgrade immediately and '
                        'audit logs for exposed credentials.',
 'data_breach': {'sensitivity_of_data': 'High (plain text credentials)',
                 'type_of_data_compromised': 'Credentials and environment '
                                             'settings'},
 'description': 'The Apache Software Foundation (ASF) has released urgent '
                'security patches for Apache ZooKeeper, addressing two '
                'high-severity vulnerabilities that could lead to sensitive '
                'data exposure and server impersonation attacks in distributed '
                'systems. The first flaw, CVE-2026-24308, stems from improper '
                'log sanitization in the ZKConfig component, which logs '
                'configuration values including credentials and environment '
                'settings in plain text. The second vulnerability, '
                'CVE-2026-24281, involves a hostname verification bypass in '
                'the ZKTrustManager, allowing attackers to spoof legitimate '
                'servers by manipulating PTR records.',
 'impact': {'data_compromised': 'Credentials and environment settings in plain '
                                'text',
            'operational_impact': 'Potential server impersonation and '
                                  'unauthorized access to sensitive data',
            'systems_affected': 'Apache ZooKeeper versions 3.8.0–3.8.5 and '
                                '3.9.0–3.9.4'},
 'post_incident_analysis': {'corrective_actions': ['Fixed logging to prevent '
                                                   'credential exposure',
                                                   'Added configuration option '
                                                   'to disable reverse DNS '
                                                   'lookups'],
                            'root_causes': ['Improper log sanitization in '
                                            'ZKConfig',
                                            'Hostname verification bypass in '
                                            'ZKTrustManager']},
 'recommendations': 'Upgrade to patched versions (3.8.6 or 3.9.5) and audit '
                    'logs for exposed credentials. Consider disabling reverse '
                    'DNS lookups in secure environments.',
 'references': [{'source': 'Apache Software Foundation Security Advisory'}],
 'response': {'containment_measures': 'Patches released (versions 3.8.6 and '
                                      '3.9.5)',
              'recovery_measures': 'Administrators advised to upgrade '
                                   'immediately and audit logs for exposed '
                                   'credentials',
              'remediation_measures': 'Fixed logging issue to prevent '
                                      'credential exposure and introduced a '
                                      'configuration option to disable reverse '
                                      'DNS lookups'},
 'title': 'Apache ZooKeeper Patches Critical Flaws Exposing Sensitive Data and '
          'Enabling Server Spoofing',
 'type': ['Data Exposure', 'Server Spoofing'],
 'vulnerability_exploited': ['CVE-2026-24308', 'CVE-2026-24281']}

Apache Software Foundation: Apache ZooKeeper Vulnerability Allows Attackers to Access Sensitive Data

Microsoft: Microsoft .NET 0-Day Vulnerability Enables Denial-of-Service Attacks

Cloudflare and Hurricane Electric: Hacker abusing .arpa domain to evade phishing detection, says Infoblox

Microsoft: Critical Microsoft .NET Zero-Day Vulnerability Allows DoS Attacks