Arbitrary Code Execution Affecting com.typesafe.akka:akka-actor package, versions [,2.4.17) [2.5-M1,2.5-M2)
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
4.27% (93rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMTYPESAFEAKKA-31454
- published 8 Aug 2017
- disclosed 9 Feb 2017
- credit Alvaro Munoz, Adrian Bravo
Introduced: 9 Feb 2017
CVE-2017-1000034 Open this link in a new tabHow to fix?
Upgrade akka-actor
to version 2.4.17 or higher.
Overview
com.typesafe.akka:akka-actor
is message-driven application builder on the JVM.
Affected versions of the package are vulnerable to Arbitrary Code Execution.
An attacker that can connect to an ActorSystem
exposed via Akka Remote over TCP can gain remote code execution capabilities in the context of the JVM process that runs the ActorSystem if:
- JavaSerializer is enabled (default in Akka 2.4.x)
- and TLS is disabled or TLS is enabled with akka.remote.netty.ssl.security.require-mutual-authentication = false (which is still the default in Akka 2.4.x)
- or if TLS is enabled with mutual authentication and the authentication keys of a host that is allowed to connect have been compromised, an attacker gained access to a valid certificate (e.g. by compromising a node with certificates issued by the same internal PKI tree to get access of the certificate)
- regardless of whether untrusted mode is enabled or not
Java deserialization is known to be vulnerable to attacks when attacker can provide arbitrary types.