CVE-2024-27309

2024-06-1120:54:46

redhat.com

access.redhat.com

apache kafka

cluster

migration

security

vulnerability

zookeeper

kraft

acls

bug

resource

administrators

precondition

brokers

metadata

impact

availability

confidentiality

integrity

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

A flaw was found in Apache Kafka during the migration from ZooKeeper (ZK) to KRaft mode that affects Access Control List (ACL) enforcement. Specifically, when an ACL is removed from a resource and the resource retains two or more other ACLs, Kafka may incorrectly treat the resource as having only one ACL. This issue can lead to misconfigured access permissions during the migration period. Depending on the type of ACLs (ALLOW or DENY) in use, the impact ranges from potential availability issues (for ALLOW ACLs) to confidentiality and integrity risks (for DENY ACLs). The bug can be mitigated by resetting broker states or adding new ACLs without causing metadata loss.

Mitigation

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.