Impacted Versions
- Confluent Platform versions 7.5.0, 7.5.1 and 7.6.0. Please note that impact by the use of these versions would only be applicable during Zookeeper (ZK) to KRaft migration mode if the specific pre-conditions (noted in the Issue section below) for CVE-2024-27309 are met.
- Some specific Confluent Cloud clusters were affected by this issue between January 17, 2024 and January 26, 2024. However, no security impact was observed for the identified impacted clusters.
Recommended Action
- Upgrade to Confluent Platform versions 7.5.4 or 7.6.1
Issue
Due to CVE-2024-27309, when a Confluent Platform Kafka cluster is being migrated from ZK to KRaft mode, under specific conditions noted below, Kafka ACLs will not be enforced as expected.
Two preconditions are needed to trigger the bug during migration:
- A cluster administrator decides to remove an ACL
- The resource associated with the removed ACL continues to have two or more other ACLs associated with it after the removal.
When those two preconditions are met, Kafka will treat the resource as if it had only one ACL associated with it after the removal, rather than the ACLs that were in place before. This incorrect condition only exists on brokers in ZK mode and does not apply when adding an ACL. The incorrect condition can also be cleared by removing all brokers in ZK mode or by adding a new ACL to the affected resource for the impacted versions.
The full impact as it pertains to vulnerable versions of Confluent Platform clusters depends on the type of ACLs that were in use at the time of the migration. If only ALLOW ACLs were configured during the migration, the impact would be limited to availability impact. If DENY ACLs were configured, the impact could include confidentiality and integrity impact depending on the ACLs configured, as the DENY ACLs might be ignored due to this vulnerability during the migration period.
Remediation
- Confluent Platform:
This issue is resolved in Confluent Platform patch release versions 7.5.4 and 7.6.1. These fixes adequately address this issue.
- Confluent Cloud:
This issue is resolved in Confluent Cloud and no further action is necessary.