CVE-2024-56128: 
Java vulnerability analysis and mitigation

Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802. Specifically, the server failed to verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. This vulnerability affects Apache Kafka versions 0.10.2.0 through 3.9.0, excluding versions 3.9.0, 3.8.1, and 3.7.2 (OSS Security).

The vulnerability stems from an incorrect implementation of the SCRAM authentication algorithm where the server does not perform nonce validation in the final message of the SCRAM authentication exchange. This validation is required by RFC 5802 to ensure the integrity of the authentication process. The issue has been assigned a low severity rating as it is only exploitable when an attacker has plaintext access to the SCRAM authentication exchange (OSS Security).

The vulnerability is only exploitable when an attacker has plaintext access to the SCRAM authentication exchange. Deployments using SCRAM with TLS encryption are not affected by this issue. The impact is limited to environments where SCRAM is used over plaintext communication channels (OSS Security).

Users are advised to upgrade to Apache Kafka version 3.7.2 or later. For those unable to upgrade immediately, two mitigation options are available: 1) Deploy SCRAM exclusively with TLS encryption to protect authentication exchanges from interception, or 2) Consider alternative authentication mechanisms such as PLAIN, Kerberos, or OAuth with TLS, which provide additional security layers (OSS Security).