BIT-kafka-2024-27309
ACL Bypass vulnerability in kafka-metadata (Maven)
What is BIT-kafka-2024-27309 About?
This vulnerability affects Apache Kafka during migration from ZooKeeper to KRaft mode, leading to incorrect ACL enforcement. Specifically, when an ACL is removed, and two or more other ACLs remain on a resource, Kafka incorrectly treats the resource as having only one ACL. This can result in unauthorized access or data exposure, as DENY ACLs might be ignored.
Affected Software
Technical Details
During the migration of an Apache Kafka cluster from ZooKeeper to KRaft mode, a bug in ACL processing leads to incorrect enforcement. The vulnerability specifically triggers when two preconditions are met: an administrator removes an ACL, and the affected resource still has two or more other ACLs associated with it after the removal. In this scenario, Kafka erroneously processes the resource as having only one active ACL, disregarding the actual number of remaining ACLs. This can cause DENY ACLs to be ignored, potentially leading to unauthorized access, data integrity issues, or confidentiality breaches, depending on the specific ACL configurations. The condition is cleared by removing all ZooKeeper-mode brokers or adding a new ACL.
What is the Impact of BIT-kafka-2024-27309?
Successful exploitation may allow attackers to bypass Access Control Lists (ACLs), leading to unauthorized access, modification, or exposure of sensitive data, or causing service disruption if DENY ACLs are ignored.
What is the Exploitability of BIT-kafka-2024-27309?
Exploitation complexity is high as it depends on specific administrative actions and server states during a migration period. No direct authentication or specific privileges are required for the attacker, but the vulnerability is triggered by an administrator's legitimate action (removing an ACL). Access is primarily remote, provided the attacker has network access to the Kafka cluster to attempt operations that would normally be denied. The vulnerability only manifests during the migration from ZooKeeper to KRaft mode, and only when the described preconditions regarding ACL removal and remaining ACLs are met. This narrow window and specific setup make exploitation less likely without inside knowledge or sophisticated reconnaissance.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-kafka-2024-27309?
Available Upgrade Options
- org.apache.kafka:kafka-metadata
- >=3.5.0, <3.6.2 → Upgrade to 3.6.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz163mjpy
- https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz163mjpy
- https://github.com/apache/kafka
- https://github.com/apache/kafka/commit/c000b1fae2bd7d4b76713a53508f128a13431ab6
- https://security.netapp.com/advisory/ntap-20240705-0002
- https://nvd.nist.gov/vuln/detail/CVE-2024-27309
- http://www.openwall.com/lists/oss-security/2024/04/12/3
- http://www.openwall.com/lists/oss-security/2024/04/12/3
- https://osv.dev/vulnerability/GHSA-79vv-vp32-gpp7
- https://security.netapp.com/advisory/ntap-20240705-0002/
What are Similar Vulnerabilities to BIT-kafka-2024-27309?
Similar Vulnerabilities: CVE-2020-17522 , CVE-2021-38153 , CVE-2023-34444 , CVE-2023-34445 , CVE-2023-37901
