com.typesafe.akka:akka-actor_2.11@2.4.3 vulnerabilities

latest version

2.5.32
latest non vulnerable version

2.5.32
first published

10 years ago
latest version published

4 years ago
licenses detected
- Apache-2.0
  [2.3.2,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the com.typesafe.akka:akka-actor_2.11 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Arbitrary Code Execution com.typesafe.akka:akka-actor_2.11 is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala. Affected versions of this package are vulnerable to Arbitrary Code Execution. An attacker that can connect to an `ActorSystem` exposed via Akka Remote over TCP can gain remote code execution capabilities in the context of the JVM process that runs the ActorSystem if: JavaSerializer is enabled (default in Akka 2.4.x) and TLS is disabled or TLS is enabled with akka.remote.netty.ssl.security.require-mutual-authentication = false (which is still the default in Akka 2.4.x) or if TLS is enabled with mutual authentication and the authentication keys of a host that is allowed to connect have been compromised, an attacker gained access to a valid certificate (e.g. by compromising a node with certificates issued by the same internal PKI tree to get access of the certificate) regardless of whether untrusted mode is enabled or not Java deserialization is known to be vulnerable to attacks when attacker can provide arbitrary types. How to fix Arbitrary Code Execution? Upgrade `com.typesafe.akka:akka-actor_2.11` to version 2.4.17, 2.5-M2 or higher.	[,2.4.17) [2.5-alpha,2.5-M2)

Arbitrary Code Execution

com.typesafe.akka:akka-actor_2.11 is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala.

Affected versions of this package are vulnerable to Arbitrary Code Execution. An attacker that can connect to an ActorSystem exposed via Akka Remote over TCP can gain remote code execution capabilities in the context of the JVM process that runs the ActorSystem if:

JavaSerializer is enabled (default in Akka 2.4.x)

and TLS is disabled or TLS is enabled with akka.remote.netty.ssl.security.require-mutual-authentication = false (which is still the default in Akka 2.4.x)
or if TLS is enabled with mutual authentication and the authentication keys of a host that is allowed to connect have been compromised, an attacker gained access to a valid certificate (e.g. by compromising a node with certificates issued by the same internal PKI tree to get access of the certificate)

regardless of whether untrusted mode is enabled or not

Java deserialization is known to be vulnerable to attacks when attacker can provide arbitrary types.

How to fix Arbitrary Code Execution?

Upgrade com.typesafe.akka:akka-actor_2.11 to version 2.4.17, 2.5-M2 or higher.

[,2.4.17) [2.5-alpha,2.5-M2)

Go back to all versions of this package

com.typesafe.akka:akka-actor_2.11@2.4.3 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities