Overview
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, access control lists (ACLs) will not be correctly enforced in some cases. Two preconditions are required to trigger this bug:
- The administrator decides to remove an ACL
- The resource associated with the removed ACL continues to have two or more ACLs associated with it
Under these conditions, Kafka will treat the resource as if it had only one ACL associated with it.
If ALLOW ACLs were configured, this may lead to availability issues, as previous ALLOW ACL entries may be dropped. If DENY ACLs were configured, this could lead to confidentiality or integrity issues as the DENY ACLs may be dropped.
Is Aiven Affected?
Aiven’s is unaffected by this issue.
Aiven does not satisfy either condition required to trigger this issue. Aiven uses custom ACLs which predate the upstream ACLs, and at this time, Aiven does not leverage KRaft.
We will continue to monitor this situation as it develops and are committed to ensuring the continued security of our services.
References
https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz163mjpy
https://www.cve.org/CVERecord?id=CVE-2024-27309