{
  "threat_severity" : "Important",
  "public_date" : "2026-03-07T08:50:32Z",
  "bugzilla" : {
    "description" : "Apache ZooKeeper: Apache ZooKeeper: Impersonation of servers or clients via reverse DNS spoofing",
    "id" : "2445449",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2445449"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.", "A flaw was found in Apache ZooKeeper. The ZKTrustManager component's hostname verification process can fall back to reverse DNS (PTR) lookup when IP Subject Alternative Name (SAN) validation fails. This vulnerability allows an attacker who can control or spoof PTR records to impersonate ZooKeeper servers or clients, provided they possess a valid certificate for the PTR name. This could lead to unauthorized access or manipulation of ZooKeeper services." ],
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ Broker 7.12.7",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:14276",
    "cpe" : "cpe:/a:redhat:amq_broker:7.12",
    "package" : "zookeeper"
  }, {
    "product_name" : "Red Hat AMQ Broker 7.13.5",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:14272",
    "cpe" : "cpe:/a:redhat:amq_broker:7.13",
    "package" : "zookeeper"
  }, {
    "product_name" : "Red Hat AMQ Broker 7.14.0",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8509",
    "cpe" : "cpe:/a:redhat:amq_broker:7.14",
    "package" : "zookeeper"
  }, {
    "product_name" : "Red Hat OpenShift AI 2.25",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10184",
    "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9",
    "package" : "rhoai/odh-modelmesh-rhel9:1776756834"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Not affected",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Debezium 2",
    "fix_state" : "Will not fix",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:debezium:2"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Will not fix",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Affected",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Offline Knowledge Portal",
    "fix_state" : "Affected",
    "package_name" : "offline-knowledge-portal/rhokp-rhel9",
    "cpe" : "cpe:/a:redhat:offline_knowledge_portal:1"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-modelmesh-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Affected",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Affected",
    "package_name" : "zookeeper",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-24281\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24281\nhttps://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2" ],
  "name" : "CVE-2026-24281",
  "mitigation" : {
    "value" : "To mitigate this issue, disable reverse DNS lookup in Apache ZooKeeper's client and quorum protocols. This can be achieved by configuring the `zookeeper.ssl.hostnameVerification.disableReverseDns` property to `true`. This configuration option is available in Apache ZooKeeper versions 3.8.6 and 3.9.5 and later. A restart of the ZooKeeper service will be required for the change to take effect.",
    "lang" : "en:us"
  },
  "csaw" : false
}