This is an automated email from the ASF dual-hosted git repository.
mimaison pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 69c6b8c01 MINOR: Add CVE-2024-27309 (#621)
69c6b8c01 is described below
commit 69c6b8c01d0a7d08d6dba96588b898d174c7f2f6
Author: Mickael Maison <[email protected]>
AuthorDate: Mon Aug 5 11:43:14 2024 +0200
MINOR: Add CVE-2024-27309 (#621)
Reviewers: Josep Prat <[email protected]>
---
cve-list.html | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index a160eb3c2..2566530fe 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,43 @@
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
+ <h2 id="CVE-2024-27309"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-27309";>CVE-2024-27309</a>
Potential incorrect access control during migration from ZK mode to KRaft
mode</h2>
+
+ <p> While an Apache Kafka cluster is being migrated from ZooKeeper mode
to KRaft mode, in some cases ACLs will not be correctly enforced. Two
preconditions are needed to trigger the bug:
+ <ol>
+ <li>The administrator decides to remove an ACL
+ <li>The resource associated with the removed ACL continues to have
two or more other ACLs associated with it after the removal.
+ </ol>
+ When those two preconditions are met, Kafka will treat the resource as
if it had only one ACL associated with it after the removal, rather than the
two or more that would be correct.
+ The incorrect condition is cleared by removing all brokers in ZK mode,
or by adding a new ACL to the affected resource. Once the migration is
completed, there is no metadata loss (the ACLs all remain).
+ </p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>3.5.0 - 3.6.1</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>3.6.2</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>The impact depends on the ACLs in use. If only ALLOW ACLs were
configured during the migration, the impact would be limited to availability
impact. if DENY ACLs were configured, the impact could include confidentiality
and integrity impact depending on the ACLs configured, as the DENY ACLs might
be ignored due to this vulnerability during the migration period.
+ </td>
+ </tr>
+ <tr>
+ <td>Advice</td>
+ <td>We advise all Kafka users using ACLs to only perform ZooKeeper
to KRaft migrations when using Kafka 3.6.2 or above.</td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>12 Apr 2024</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2 id="CVE-2023-34455"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-34455";>CVE-2023-34455</a>
Clients using Snappy compression may cause out of memory error on brokers</h2>
<p> This CVE identifies a vulnerability in snappy-java which could be
used to cause an Out-of-Memory (OOM) condition, leading to
Denial-of-Service(DoS) on the Kafka broker.
