Arbitrary Code Execution Affecting com.typesafe.akka:akka-actor_2.12 package, versions [,2.4.17)[2.5-alpha,2.5-M2)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.9% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-COMTYPESAFEAKKA-31453
  • published8 Aug 2017
  • disclosed9 Feb 2017
  • creditAlvaro Munoz, Adrian Bravo

Introduced: 9 Feb 2017

CVE-2017-1000034  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade com.typesafe.akka:akka-actor_2.12 to version 2.4.17, 2.5-M2 or higher.

Overview

com.typesafe.akka:akka-actor_2.12 is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala.

Affected versions of this package are vulnerable to Arbitrary Code Execution. An attacker that can connect to an ActorSystem exposed via Akka Remote over TCP can gain remote code execution capabilities in the context of the JVM process that runs the ActorSystem if:

  • JavaSerializer is enabled (default in Akka 2.4.x)
  • and TLS is disabled or TLS is enabled with akka.remote.netty.ssl.security.require-mutual-authentication = false (which is still the default in Akka 2.4.x)
  • or if TLS is enabled with mutual authentication and the authentication keys of a host that is allowed to connect have been compromised, an attacker gained access to a valid certificate (e.g. by compromising a node with certificates issued by the same internal PKI tree to get access of the certificate)
  • regardless of whether untrusted mode is enabled or not

Java deserialization is known to be vulnerable to attacks when attacker can provide arbitrary types.

CVSS Scores

version 3.1