A flaw was found in Apache Kafka during the migration from ZooKeeper (ZK) to KRaft mode that affects Access Control List (ACL) enforcement. Specifically, when an ACL is removed from a resource and the resource retains two or more other ACLs, Kafka may incorrectly treat the resource as having only one ACL. This issue can lead to misconfigured access permissions during the migration period. Depending on the type of ACLs (ALLOW or DENY) in use, the impact ranges from potential availability issues (for ALLOW ACLs) to confidentiality and integrity risks (for DENY ACLs). The bug can be mitigated by resetting broker states or adding new ACLs without causing metadata loss.
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.