Detections
Analytics

Apache ZooKeeper 3.8.x < 3.8.6 / 3.9.x < 3.9.5 Multiple Vulnerabilities

high Nessus Plugin ID 301976

Synopsis

The remote Apache ZooKeeper server is affected by multiple vulnerabilities.

Description

The version of Apache ZooKeeper listening on the remote host is 3.8.x prior to 3.8.6 or 3.9.x prior to 3.9.5. It is, therefore, affected by multiple vulnerabilities:

 - Improper handling of configuration values in ZKConfig allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging, rendering potential production systems affected by the issue.
 (CVE-2026-24308)

 - Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. Note that an attacker must present a certificate which is trusted by ZKTrustManager, which makes the attack vector harder to exploit. (CVE-2026-24281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update to Apache ZooKeeper 3.8.6 or 3.9.5 or later.

See Also

https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2

https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr

Plugin Details

Severity: High

ID: 301976

File Name: apache_zookeeper_3_9_5.nasl

Version: 1.1

Type: combined

Family: Misc.

Published: 3/12/2026

Updated: 3/12/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-24308

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:apache:zookeeper

Required KB Items: installed_sw/Apache Zookeeper

Patch Publication Date: 3/7/2026

Vulnerability Publication Date: 3/7/2026

Reference Information

CVE: CVE-2026-24281, CVE-2026-24308