CVE-2026-24308: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-24308 is an information disclosure vulnerability in Apache ZooKeeper caused by improper handling of configuration values in the ZKConfig component. It affects Apache ZooKeeper versions 3.8.0 through 3.8.5 and 3.9.0 through 3.9.4 on all platforms, allowing sensitive client configuration data to be exposed in client logfiles at INFO-level logging. The vulnerability was disclosed on March 7, 2026, by reporter Youlong Chen via the Apache security mailing list, and patches were released the same day (OSS-Security, GitHub Advisory). It carries a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 base score of 8.7 (High) (GitHub Advisory). Downstream products including Oracle Communications Unified Assurance (versions 6.1.1–7.0.0), IBM Operational Decision Manager, and IBM Storage Scale are also affected (Oracle, GitHub Advisory).

The root cause is classified as CWE-532 (Insertion of Sensitive Information into Log File): the ZKConfig class in the ZooKeeper client improperly logs configuration values — including potentially sensitive credentials or connection strings — at INFO level without sanitization or masking (GitHub Advisory, OSS-Security). The attack vector is network-based (no authentication required), with low complexity and no user interaction needed — an attacker simply needs read access to the client's logfile to obtain the exposed configuration data. No special privileges are required to trigger the logging behavior, as it occurs automatically during normal ZooKeeper client operation at the default INFO log level. No public proof-of-concept exploit code has been identified (GitHub Advisory).

Successful exploitation results in a high confidentiality impact: sensitive information stored in ZooKeeper client configuration — such as authentication credentials, connection strings, or other secrets — is written to logfiles in plaintext and can be read by any party with access to those logs (OSS-Security, GitHub Advisory). There is no direct integrity or availability impact from this vulnerability itself. However, exposed credentials could enable lateral movement or privilege escalation within the broader infrastructure, particularly in environments where ZooKeeper coordinates distributed systems such as Kafka, Hadoop, or other big data platforms (Oracle).

The primary remediation is to upgrade Apache ZooKeeper to version 3.8.6 or 3.9.5, which fix the improper configuration logging behavior (GitHub Advisory, OSS-Security). As interim workarounds, administrators should: (1) restrict file system permissions on ZooKeeper client logfiles to limit access to authorized users only; (2) consider raising the ZooKeeper client logging level above INFO to prevent sensitive configuration values from being written to logs; and (3) audit existing logfiles for exposed sensitive data and rotate any credentials that may have been logged. IBM Operational Decision Manager and IBM Storage Scale users should apply the respective IBM security bulletins, and Oracle Communications Unified Assurance users should apply the May 2026 Critical Security Patch Update (Oracle).

Security news outlets including GBHackers, CyberSecurityNews, SecurityOnline, and CyberPress covered the vulnerability shortly after disclosure, characterizing it as a notable information disclosure risk in widely deployed distributed coordination infrastructure (GitHub Advisory). The Hacker News included it in their weekly recap of notable vulnerabilities. SmarterMSP published a cybersecurity threat advisory specifically addressing the ZooKeeper flaw. Community discussion on Bluesky (infosec.skyfleet.blue) and oss-security mailing lists noted the straightforward nature of the fix and the importance of log hygiene in distributed systems. Overall, industry reaction was measured — the vulnerability was treated as a significant but non-critical disclosure issue given the absence of active exploitation.