Apache Kafka Flaw Let Attackers Gain Access To Sensitive Data

A new incorrect access control vulnerability has been discovered in Apache Kafka that could allow threat actors to compromise the CIA (Confidentiality, Integrity, and Availability) on the affected resource. 

This vulnerability has been assigned to CVE-2024-27309, and its severity has yet to be categorized.

Apache Kafka is an open-source event streaming platform that offers high-performance streaming analytics, data integration, and several other purposes. 

Apache Kafka also offers permanent storage, scalability, and high throughput as core capabilities.

According to the Apache Kafka website, almost 80% of the Fortune 100 companies have been using Apache Kafka for various purposes.

Apache Kafka Flaw

As per the advisory, this particular vulnerability became existent during migration from ZooKeeper mode to Kraft Mode.

Some of the ACLs (Access Control Lists) are not correctly enforced during this migration.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

Moreover, there are two preconditions to trigger this bug. One of the preconditions is that the administrator must decide to remove an ACL, and the second condition is that the resource associated with the removed ACL must have two or more ACLs related to it after being removed.

If both of these preconditions are available, Apache Kafka will treat the resource as having only one ACL associated with it after removal.

This means that the other two or more ACLs will be treated differently. 

However, the incorrect condition will be cleared when all the brokers are removed in ZK mode or when a new ACL is added to the affected resource.

When the migration gets completed, all the ACLs will stay in place.  Nevertheless, the complete impact of this vulnerability depends on the ACLs in use. 

If the ACLs have only ALLOW conditions configured during the migration, the impact of this vulnerability is limited to availability impact.

In case if the ACLs are configured as DENY, the impact could escalate to affected confidentiality and integrity as the DENY ACLs might become ignored because of this vulnerability during the migration period.

The Affected products of this vulnerability include Apache Kafka versions 3.5.0, 3.5.1, 3.5.2, 3.6.0, and 3.6.1.

Users of this Apache Kafka are recommended to upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.