Bug 2445449 (CVE-2026-24281)
| Summary: | CVE-2026-24281 Apache ZooKeeper: Apache ZooKeeper: Impersonation of servers or clients via reverse DNS spoofing | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, ataylor, bbaranow, bmaxwell, brian.stansberry, caswilli, ccranfor, chfoley, darran.lofthouse, dbruscin, dosoudil, fjuma, fmariani, gmalinko, istudens, ivassile, iweiss, janstey, jkoehler, jpechane, kaycoth, kvanderr, lphiri, mosmerov, msvehla, nwallace, pberan, pdelbell, pesilva, pjindal, pmackay, rgodfrey, rstancel, rstepani, smaestri, swoodman, tcunning, tom.jenkinson, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Apache ZooKeeper. The ZKTrustManager component's hostname verification process can fall back to reverse DNS (PTR) lookup when IP Subject Alternative Name (SAN) validation fails. This vulnerability allows an attacker who can control or spoof PTR records to impersonate ZooKeeper servers or clients, provided they possess a valid certificate for the PTR name. This could lead to unauthorized access or manipulation of ZooKeeper services.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-03-07 09:01:20 UTC
|