Kafka Migration Bug Affects ACL Enforcement
CVE-2024-27309

7.4HIGH

Key Information:

Vendor: Apache
Status: Apache Kafka
Vendor: CVE Published:; 12 April 2024

Summary

During the migration of an Apache Kafka cluster from ZooKeeper mode to KRaft mode, a vulnerability arises where Access Control Lists (ACLs) may not be enforced correctly. This issue occurs under specific conditions: when an administrator removes an ACL while the resource linked to that ACL retains two or more other existing ACLs. In such cases, Kafka may mistakenly interpret the resource as having only one ACL, which can lead to unintended access behavior. The problem resolves by either eliminating all brokers running in ZooKeeper mode or by assigning a new ACL to the compromised resource. Importantly, once the migration is finalized, the metadata remains intact, preventing data loss. However, the severity of impact depends on the nature of the configured ACLs; if only allow ACLs are present, there may be limited availability concerns, while deny ACLs could lead to more serious confidentiality and integrity risks during the transition.

Affected Version(s)

Apache Kafka 3.5.0 <= 3.5.2

Apache Kafka 3.6.0 <= 3.6.1

References

https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/04/12/3

https://security.netapp.com/advisory/ntap-20240705-0002/

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2024
Vulnerability Reserved
Feb 22, 2024