CVE-2024-56128

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Apache Kafka versions 0.10.2.0 through 3.9.0

Description: The issue is related to the incorrect implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) in Apache Kafka. Specifically, the server does not verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message, as required by RFC 5802. This vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. Deployments using SCRAM with TLS are not affected by this issue.

Recommendations: To mitigate this issue, users are advised to upgrade to version 3.7.2 or later. For users unable to upgrade to the fixed versions, consider the following:

Use TLS with SCRAM Authentication: Always deploy SCRAM over TLS to encrypt authentication exchanges and protect against interception.
Consider Alternative Authentication Mechanisms: Evaluate alternative authentication mechanisms, such as PLAIN, Kerberos, or OAuth with TLS, which provide additional layers of security.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-303

Related Identifiers

ALT-PU-2024-17425

ALT-PU-2024-17460

ALT-PU-2024-17527

BDU:2025-00027

BIT-KAFKA-2024-56128

CVE-2024-56128

GHSA-P7C9-8XX8-H74F

Affected Products

Alt Linux

Apache Kafka

Red Os

CVE-2024-56128

Weakness Enumeration

Related Identifiers

Affected Products

References · 19