Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

N/A

不恰当地信任反向DNS

Apache Zookeeper 安全漏洞

Apache Zookeeper是美国阿帕奇（Apache）基金会的一个软件项目，它能够为大型分布式计算提供开源的分布式配置服务、同步服务和命名注册等功能。 Apache Zookeeper存在安全漏洞，该漏洞源于ZKTrustManager中的主机名验证在IP SAN验证失败时会回退到反向DNS查询，可能导致攻击者冒充服务器或客户端。

N/A

N/A