Compliance Impact

The vulnerability involves improper authorization in Apache Kafka's CONSUMER_GROUP_DESCRIBE API, which can lead to misconfigured Access Control Lists (ACLs) and unintended security postures. This may result in unauthorized users gaining access to sensitive group metadata or permissions they should not have.

Such unauthorized access could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data. Misconfigured permissions might lead to exposure of personal or sensitive information, violating principles such as least privilege and data minimization.

Therefore, organizations using Apache Kafka should review and correct their ACLs to ensure compliance with these regulations by enforcing the principle of least privilege and preventing unauthorized data access.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is an improper authorization issue in Apache Kafka related to the CONSUMER_GROUP_DESCRIBE (69) API.

The API implementation validates the DESCRIBE operation on the GROUP resource instead of the READ operation as documented in Kafka's official documentation and KIP-848.

This mismatch can cause misconfigured Access Control Lists (ACLs), potentially granting READ permissions to users who should not have them or allowing users with DESCRIBE permission but without READ permission to access sensitive group metadata.

The correct permission for the CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP, so the implementation is correct, but the documentation will be updated to reflect this.

Kafka users are advised to review their existing group ACLs to ensure the principle of least privilege is maintained.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unintended security postures due to misconfigured ACLs.

• Users who should not have READ permission might be granted it, allowing them to join or sync consumer groups improperly.
• Users with DESCRIBE permission but without READ permission might gain access to sensitive group metadata.

Such unauthorized access can compromise the confidentiality and integrity of group metadata within Kafka.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves misconfigured Access Control Lists (ACLs) related to the CONSUMER_GROUP_DESCRIBE API permissions in Apache Kafka. Detection involves reviewing existing group ACLs to identify if users have inappropriate READ or DESCRIBE permissions that could allow unauthorized access to group metadata.

Since the issue is about permission validation discrepancies, you should audit your Kafka ACLs for group resources to ensure that only users with the correct DESCRIBE permission have access, and that no users have READ permission unless explicitly intended.

Specific commands to review ACLs in Kafka include using the kafka-acls.sh tool. For example:

• List all ACLs related to consumer groups: kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --resource-type group
• Check for users with READ or DESCRIBE permissions on group resources and verify if they align with your security policy.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to review and correct your Kafka group ACLs to follow the principle of least privilege.

Ensure that only users who require DESCRIBE permission on group resources have it, and that users without READ permission are not inadvertently granted access through misconfigured ACLs.

Since the current implementation of the CONSUMER_GROUP_DESCRIBE API is correct, no software patch is required, but updating your ACLs and monitoring permissions is critical.

Useful 0 Not Useful 0