Apache Kafka Flaw Let Attackers Gain Access To Sensitive Data

A singular wrong access alter vulnerability has been stumbled on in Apache Kafka that will perchance perchance possibly allow possibility actors to compromise the CIA (Confidentiality, Integrity, and Availability) on the affected helpful resource.

This vulnerability has been assigned to CVE-2024-27309, and its severity has but to be classified.

Apache Kafka is an birth-source tournament streaming platform that offers high-efficiency streaming analytics, files integration, and so much of different functions.

Apache Kafka moreover offers permanent storage, scalability, and high throughput as core capabilities.

Per the Apache Kafka web website online, practically 80% of the Fortune 100 firms had been the exercise of Apache Kafka for various functions.

Apache Kafka Flaw

As per the advisory, this order vulnerability grew to change into existent right through migration from ZooKeeper mode to Kraft Mode.

One of the main ACLs (Get right to use Administration Lists) are no longer precisely enforced right through this migration.

Furthermore, there are two preconditions to trigger this worm. One in every of the preconditions is that the administrator need to settle to snatch away an ACL, and the second condition is that the helpful resource linked with the eliminated ACL need to non-public two or more ACLs linked to it after being eliminated.

If both of these preconditions come in, Apache Kafka will treat the helpful resource as having handiest one ACL linked with it after elimination.

This methodology that the different two or more ACLs will possible be treated in but another way.

Nonetheless, the wrong condition will possible be cleared when all the brokers are eliminated in ZK mode or when a brand unique ACL is added to the affected helpful resource.

When the migration gets accomplished, all the ACLs will preserve in put.  Nonetheless, the entire impact of this vulnerability is dependent upon the ACLs in exercise.

If the ACLs non-public handiest ALLOW conditions configured right through the migration, the impact of this vulnerability is specific to availability impact.

In case if the ACLs are configured as DENY, the impact could possibly perchance possibly escalate to affected confidentiality and integrity as the DENY ACLs could possibly perchance possibly change into brushed off attributable to this vulnerability right through the migration duration.

The Affected merchandise of this vulnerability encompass Apache Kafka variations 3.5.0, 3.5.1, 3.5.2, 3.6.0, and 3.6.1.

Customers of this Apache Kafka are suggested to present a take to to the most modern variations to forestall possibility actors from exploiting this vulnerability.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.