Incorrect Implementation of Authentication Algorithm Affecting org.apache.kafka:kafka-clients package, versions [0.10.2.0, 3.7.2)[3.8.0, 3.8.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGAPACHEKAFKA-8528112
- published18 Dec 2024
- disclosed18 Dec 2024
- creditTim Fox
Introduced: 18 Dec 2024
NewCVE-2024-56128 (opens in a new tab)How to fix?
Upgrade org.apache.kafka:kafka-clients to version 3.7.2, 3.8.1 or higher.
Overview
org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.
Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm in the form of nonce verification that fails to comply with RFC 5802 in the SCRAM implementation. If TLS is not in use for SCRAM exchanges - which is an insecure configuration in its own right - an attacker can intercept and replay the authentication messages.
Configurations with SASL_PLAINTEXT set for listeners are vulnerable.