Authentication Algorithm Vulnerability in Apache Kafka
CVE-2024-56128

Currently unrated

Key Information:

Vendor: Apache Software Foundation
Vendor: CVE Published:; 18 December 2024

🔔 Create Apache Software Foundation Vulnerability Alert

What is CVE-2024-56128?

The vulnerability arises from an incorrect implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) in Apache Kafka. Specifically, the mechanism failed to verify that the nonce received from the client matched the one sent by the server, violating the specifications outlined in RFC 5802. This flaw occurs only when SCRAM is utilized over unencrypted (plaintext) communication channels, which is not recommended for security best practices. An attacker with access to such plaintext exchanges could potentially exploit this weakness. To mitigate risks, it is highly advisable to enable TLS for all SCRAM authentication implementations, ensuring the confidentiality and integrity of the authentication process. Upgrading to the recommended fixed versions of Apache Kafka (3.7.2 or later) is the preferred action for safeguarding against this vulnerability.

References

http://www.openwall.com/lists/oss-security/2024/12/18/3

https://datatracker.ietf.org/doc/html/rfc5802

https://datatracker.ietf.org/doc/html/rfc5802#section-9

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2024