Received: by 2002:ab2:7407:0:b0:1f4:b336:87c4 with SMTP id e7csp158701lqn;
        Thu, 11 Apr 2024 18:12:32 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXWdtmY9HtXHG2/WXzxuJhq0TTlQbvv6Ay77veIOkG2r72DwQ3C7+h9ZP6iKSasHJy/SzkDyfUoI8LWHVBn5sN1Xnccyu249RQgtKFNfg==
X-Google-Smtp-Source: AGHT+IEVeBdEAgpCgDc3P/LjSLnwccq00pqw4bsLKl0aEAyxRfjJvwF7bXIPbVnYYwDrWuignIQd
X-Received: by 2002:a05:6102:6d6:b0:47a:455a:8203 with SMTP id m22-20020a05610206d600b0047a455a8203mr772215vsg.26.1712884352375;
        Thu, 11 Apr 2024 18:12:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1712884352; cv=none;
        d=google.com; s=arc-20160816;
        b=a+fkn/DwPMKSF4cVXpuMWtRQ6p8Ftnm5zlO1CBSfDnIM6f3alGBYGHPT6W2qOwyRH5
         crztRljtTKh4mla/gpV+3Bh4MlVyjkY2/9L2z4Sx5+Npn409sH746GesMG7Yo3Ghn7Gg
         RCMPZJA95QG/t83sgjGcn6Qc6mzp/GvqB7ztU5+6ytuJpLijwa0dTQ//4NbzM2/wTsq2
         9XZANaQEHR1x08azAWns9j1EijBXAAtAwZd1jOhUI9uSqH2YgXNyiFG9qJMgmU/dN0Lc
         q/ydEtKPEljouWTpdjpKSOaKUma4pO3LQIQnZTSSrM84cNQIP6DbxCscrHSHzeT1smwO
         HbRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:mime-version:date:content-transfer-encoding:message-id:to
         :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=p18oilzIWClDsAqNp7I/1UsL7j9D9o3u3/rTml6TgYo=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=d2EzqbytTpd1O3GPxn/Qb9QJh/6Zm9o0LebIdEoYMhC0WCZsVZac/89crgLqt1A8ez
         mgu4zz+f3xqgomvwhWOI0IYHFh/kDyLZE/3Zf8/R+T2peVzcYzm/k+NAZE9Tyj5BFYM5
         9OkrgYGCkDpmG8Exsp50Rv4ZPyamEEyHyYSVkJgQj8CaO9gTnCQETClhj61aV5QWMUa+
         aKfBDrbHEs0ZM2N+4uO4LQNPWKThkfoCwinl9hSgv1EShL8Iax2rohJVtVgZ0ixG1ULt
         AwVCURGqziCxYmKslXlLX70LBqHOQkqMqQhBwIQexk8p6D/nBv56LCYZFVaTDzvL7jWj
         dbNw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30014-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30014-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30014-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id g6-20020ac87f46000000b0043502fb01e5si2750723qtk.347.2024.04.11.18.12.31
        for <linux.lists.archive@gmail.com>;
        Thu, 11 Apr 2024 18:12:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30014-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30014-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30014-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 13692 invoked by uid 550); 12 Apr 2024 01:08:25 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 20175 invoked from network); 11 Apr 2024 22:46:05 -0000
Authentication-Results: apache.org; auth=none
Content-Type: text/plain; charset=utf-8
From: Colin McCabe <cmccabe@apache.org>
To: oss-security@lists.openwall.com
Message-ID: <1b463333-a906-8c9c-db58-34ad940518cf@apache.org>
Content-Transfer-Encoding: quoted-printable
Date: Thu, 11 Apr 2024 22:45:54 +0000
MIME-Version: 1.0
Subject: [oss-security] CVE-2024-27309: Apache Kafka: Potential incorrect access control
 during migration from ZK mode to KRaft mode 

Severity: critical

Affected versions:

- Apache Kafka 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1

Description:

While an Apache Kafka cluster is being migrated from ZooKeeper mode to =
KRaft mode, in some cases ACLs will not be correctly enforced.

Two preconditions are needed to trigger the bug:
1. The administrator decides to remove an ACL
2. The resource associated with the removed ACL continues to have two or =
more other ACLs associated with it after the removal.

When those two preconditions are met, Kafka will treat the resource as if =
it had only one ACL associated with it after the removal, rather than the =
two or more that would be correct.

The incorrect condition is cleared by removing all brokers in ZK mode, or =
by adding a new ACL to the affected resource. Once the migration is =
completed, there is no metadata loss (the ACLs all remain).

The full impact depends on the ACLs in use. If only ALLOW ACLs were =
configured during the migration, the impact would be limited to =
availability impact. if DENY ACLs were configured, the impact could include=
 confidentiality and integrity impact depending on the ACLs configured, as =
the DENY ACLs might be ignored due to this vulnerability during the =
migration period.

References:

https://kafka.apache.org/
https://www.cve.org/CVERecord?id=3DCVE-2024-27309