CVE-2024-27309 – During Apache Kafka migration from ZooKeeper to... (How to Fix)

Q: What is the severity of CVE-2024-27309?

CVE-2024-27309 has a CVSS score of 7.4 (HIGH). During Apache Kafka migration from ZooKeeper to KRaft mode, ACL enforcement can fail when removing an ACL from a resource with multiple ACLs, causing Kafka to incorrectly treat the resource as having only one ACL. This affects administrators performing ZooKeeper-to-KRaft migrations. The impact ranges from availability issues (if only ALLOW ACLs exist) to potential confidentiality/integrity breaches (if DENY ACLs exist).

📋 TL;DR

During Apache Kafka migration from ZooKeeper to KRaft mode, ACL enforcement can fail when removing an ACL from a resource with multiple ACLs, causing Kafka to incorrectly treat the resource as having only one ACL. This affects administrators performing ZooKeeper-to-KRaft migrations. The impact ranges from availability issues (if only ALLOW ACLs exist) to potential confidentiality/integrity breaches (if DENY ACLs exist).

💻 Affected Systems

Products:

Apache Kafka

Versions: Versions undergoing ZooKeeper to KRaft migration (specific affected versions not specified in CVE)

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable during active ZooKeeper-to-KRaft migration when specific ACL removal conditions are met.

📦 What is this software?

Kafka by Apache

View all CVEs affecting Kafka →

⚠️ Risk & Real-World Impact

🔴

Worst Case

DENY ACLs are ignored during migration, allowing unauthorized access to Kafka resources, potentially leading to data exposure, modification, or deletion.

🟠

Likely Case

Availability impact where ALLOW ACLs aren't properly enforced, causing legitimate users to be denied access to Kafka resources during migration.

🟢

If Mitigated

Limited availability impact if only ALLOW ACLs are configured and migration is carefully monitored.

🌐 Internet-Facing: MEDIUM - Kafka clusters exposed to internet could have ACL bypass if DENY rules are ignored, but exploitation requires specific migration conditions.

🏢 Internal Only: MEDIUM - Internal Kafka clusters during migration could experience ACL enforcement failures affecting access control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires administrative access to modify ACLs during migration and specific conditions (removing ACL from resource with multiple ACLs).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Apache Kafka security advisories for specific patched versions

Vendor Advisory: https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz163mjpy

Restart Required: Yes

Instructions:

1. Check Apache Kafka security advisory for patched version. 2. Update Kafka to patched version. 3. Restart Kafka brokers. 4. Verify migration completion and ACL enforcement.

🔧 Temporary Workarounds

Avoid ACL modifications during migration

all

Do not remove ACLs from resources that have multiple ACLs during ZooKeeper-to-KRaft migration

Complete migration before ACL changes

all

Finish ZooKeeper-to-KRaft migration completely before making any ACL modifications

🧯 If You Can't Patch

Postpone ZooKeeper-to-KRaft migration until patch can be applied
Monitor ACL changes and Kafka access logs closely during migration for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if Kafka cluster is actively migrating from ZooKeeper to KRaft mode and ACLs have been recently modified

Check Version:

kafka-broker-api-versions --bootstrap-server localhost:9092 | grep version

Verify Fix Applied:

Verify Kafka version is patched, complete migration, and test ACL enforcement on resources with multiple ACLs

📡 Detection & Monitoring

Log Indicators:

Unexpected access to Kafka resources during migration
ACL modification logs during migration period
Authorization failure/success anomalies

Network Indicators:

Unauthorized Kafka protocol requests during migration window

SIEM Query:

source="kafka*" AND ("ACL" OR "authorization") AND "migration" AND ("remove" OR "delete")

📊 Metadata

CVE ID: CVE-2024-27309

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

Published: April 12, 2024

Last Updated: June 10, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/04/12/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz163mjpy Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20240705-0002/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/04/12/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread/6536rmzyg076lzzdw2xdktvnz163mjpy Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20240705-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27309, you might also want to check these: