Описание
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug:
- The administrator decides to remove an ACL
- The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal.
When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct.
The incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain).
The full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configured, as the DENY ACLs might be ignored due to this vulnerability during the migration period.
A flaw was found in Apache Kafka during the migration from ZooKeeper (ZK) to KRaft mode that affects Access Control List (ACL) enforcement. Specifically, when an ACL is removed from a resource and the resource retains two or more other ACLs, Kafka may incorrectly treat the resource as having only one ACL. This issue can lead to misconfigured access permissions during the migration period. Depending on the type of ACLs (ALLOW or DENY) in use, the impact ranges from potential availability issues (for ALLOW ACLs) to confidentiality and integrity risks (for DENY ACLs). The bug can be mitigated by resetting broker states or adding new ACLs without causing metadata loss.
Отчет
The vulnerability in Apache Kafka during the migration from ZooKeeper (ZK) to KRaft mode is of Moderate severity due to its potential impact on access control enforcement. By incorrectly interpreting the number of ACLs associated with a resource after an ACL removal, Kafka may misapply access permissions during the transitional phase. This could lead to temporary lapses in security enforcement, particularly concerning confidentiality and integrity for DENY ACLs or availability for ALLOW ACLs. While the bug does not result in permanent data loss or corruption, it necessitates careful management to prevent unauthorized access or disruption during the migration process. Immediate mitigation involves resetting broker states or strategically adding new ACLs to affected resources to restore correct access control functionality. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-863: Incorrect Authorization vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform's native Role-Based Access Control (RBAC), namespace-level isolation, and network segmentation collectively constrain the scope of access. Access to the platform is granted only after successful hard token, multi-factor authentication (MFA), which is coupled with least privilege principles to ensure that only authorized roles and users can execute or manipulate code. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention, which helps detect and alert of any atypical use cases or anomalous behavior. Additionally, the platform requires the use of non-privileged accounts when accessing systems that don’t require elevated access.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| streams for Apache Kafka | kafka | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS3
Связанные уязвимости
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct. The incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain). The full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending o...
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal. When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the two or more that would be correct. The incorrect condition is cleared by removing all brokers in ZK mode, or by adding a new ACL to the affected resource. Once the migration is completed, there is no metadata loss (the ACLs all remain). The full impact depends on the ACLs in use. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. if DENY ACLs were configured, the impact could include confidentiality and integrity impact depending
While an Apache Kafka cluster is being migrated from ZooKeeper mode to ...
Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
EPSS
6.8 Medium
CVSS3