Recently, two important‑level severity vulnerabilities were identified in Apache ZooKeeper, a service widely used for configuration management and naming in distributed applications. These issues make timely security updates critical. The vulnerabilities could allow attackers to access sensitive configuration data or even bypass hostname verification entirely. Review the Cybersecurity Threat Advisory now to protect your systems.
What is the threat?
The first vulnerability, CVE-2026-24308, involves the disclosure of sensitive information due to improper handling of configuration values in the ZKConfig component. Because of this flaw, any unauthorized user with access to log files could quietly steal sensitive production data without triggering alarms.
The second vulnerability, CVE-2026-24281, is a hostname‑verification bypass. If IP Subject Alternative Name (SAN) validation fails, the system automatically falls back to a reverse DNS (PTR) lookup. Attackers who control or spoof PTR records can exploit this behavior to impersonate valid ZooKeeper clients.
Why is it noteworthy?
Because INFO‑level logging is typically enabled by default in production deployments, any user or attacker who gains access to these logs could view confidential configuration data. According to ASF, this flaw affects both operational security and infrastructure privacy. While the hostname‑verification attack requires a digitally signed certificate trusted by the ZKTrustManager, it still poses a significant risk in tightly controlled environments where trust boundaries exist.
What is the exposure or risk?
These vulnerabilities impact Apache ZooKeeper versions 3.8.0 through 3.8.5 and 3.9.0 through 3.9.4. Both issues are classified as Important and require prompt mitigation to prevent unauthorized access or data exposure. Because ZooKeeper is a widely used centralized coordination system, the vulnerabilities could potentially put millions of customers at risk.
What are the recommendations?
Barracuda strongly recommends the following defensive measures:
- Upgrade to ZooKeeper versions 3.8.6 or 3.9.5 immediately.
- Administrators should audit existing ZooKeeper logs for exposed credentials and rotate any passwords or authentication keys found.
- For hostnames, apply the new configuration option included in the patch to disable reverse DNS lookups entirely across client and quorum protocols.
References
For more in-depth information about the recommendations, please visit the following links:
- Apache ZooKeeper Flaw Exposes Sensitive Data to Attackers
- Apache ZooKeeper Vulnerability Allows Attackers to Access Sensitive Data
- ZooKeeper Security Flaws | Cybersecurity News
- Apache ZooKeeper Vulnerability Allow Attackers to Access Sensitive Data
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.