Skip to main content

CONFSA-2025-01: CVE-2024-56128 - Confluent Platform Vulnerability: Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation

  • Updated

Impacted versions

  • Confluent Platform <= 7.0.16, 7.1.14,  7.2.13, 7.3.10,  7.4.7, 7.5.6, 7.6.3, 7.7.1 
  • Confluent Cloud services were not impacted by this vulnerability as SCRAM authentication is not configured. No further action is necessary.

Recommended action

  • Upgrade to Confluent Platform versions 7.1.15, 7.2.14,  7.3.11 ,7.4.8, 7.5.7, 7.6.4 , 7.7.2, 7.8.0, 7.9.0

Issue

Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 and has been identified to be vulnerable to CVE-2024-56128. Specifically, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. This vulnerability is exploitable only under very privileged conditions, where an attacker would have plaintext access to the SCRAM authentication exchange traffic. 

The usage of SCRAM over plaintext is strongly discouraged in section 9 of RFC 5802 as it is considered an insecure practice. Apache Kafka documentation and Confluent Platform documentation also recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception. Thus, Confluent Platform deployments using SCRAM with TLS are not affected by this issue. To check if TLS is enabled, review your server.properties configuration file for listeners property. If you have SASL_PLAINTEXT in the listeners, then you are likely impacted. Absence of TLS in SCRAM exchanges (which is also an insecure configuration) would allow an attacker to intercept and replay the authentication messages.

Remediation 

Confluent Platform: This issue is already resolved in the following versions of Confluent Platform: 7.1.15, 7.2.14, 7.3.11 ,7.4.8, 7.5.7 , 7.6.4 , 7.7.2, 7.8.0, 7.9.0

Workarounds: If immediate upgrades are not possible, customers are advised to leverage below listed steps to mitigate this vulnerability:

  • Deploy SCRAM over TLS to encrypt authentication exchanges and protect against interception.
  • Consider alternative authentication mechanisms: Evaluate using PLAIN, Kerberos or OAuth with TLS, which provide additional layers of security.

Confluent Cloud:

This issue did not impact Confluent Cloud managed services. No further action is necessary.

Original CVSS Score for CVE-2024-56128: N/A

Adjusted CVSS Score (for Confluent Platform deployments): 5.7

Adjusted CVSS v3.1 Calculator

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles