Akka HTTP: Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service
218 views
Skip to first unread message
Konrad Malawski
May 3, 2017, 8:28:07 PM5/3/17
to Akka Security
Dear Lightbend Subscribers and users of Akka HTTP,
This announcement is to notify you of the immediate availability of an Akka HTTP security patch that addresses a serious vulnerability reported to us on April 30, 2017.
Compatibility notes
This announcement is to notify you of the immediate availability of an Akka HTTP security patch that addresses a serious vulnerability reported to us on April 30, 2017.
We strongly urge all users to update to Akka HTTP 10.0.6 the latest version as soon as possible.
Date
3 May 2017
Description of Vulnerability
Handling a request that carries an Accept header with an unsupported media range starting with a wildcard but having a specific subtype (e.g. */boom) leads to a stack overflow during negotiation of the content type. Per default, stack overflows are treated as fatal errors, so that the JVM process will shut itself down immediately.
Severity
The CVSS score of this vulnerability is 7.8 (High), based on vector (AV:N/AC:L/Au:N/C:N/I:N/A:C).
Impact
All Akka HTTP servers using the high-level routing DSL are affected. The infinite recursion happens inside the complete directive which is used in every Akka HTTP application using the high-level DSL.
A remote attacker that is able to send an HTTP request with such a malformed Accept header to an Akka HTTP application is able to cause a StackOverflowException and if the exception remains unhandled effectively shut down the server.
Applications written using only the low-level API from akka-http-core but not the routing DSL are not affected.
Affected versions
- akka-http prior to 10.0.6 and 2.4.11.2
Notably not affected:
- Play Framework (regardless of used server backend)
- Lagom Framework
- Low-level akka-http-core APIs
- akka-http 10.0.6 (stable, 10.0.6 release notes)
- akka-http 2.4.11.2 (experimental, 2.4.11.2 release notes) (please upgrade to the actively maintained 10.0.x series though)
Please note that the 2.4.11.2 release contains no other changes except the single patch that addresses the vulnerability. Binary and source compatibility has been maintained so the upgrade procedure is as simple as changing the library dependency.
If you have any questions or need any help, please contact sup...@lightbend.com.
We strongly suggest upgrading to Akka 10.0.6 or later. Akka 10.0.x is backwards binary compatible with previous 10.0.x releases and Akka 2.4.x. This means that the new JARs are a drop-in replacement for the old one (but not the other way around) as long as your build does not enable the inliner (Scala-only restriction). It should be noted that Scala 2.12.x is is not binary compatible with Scala 2.11.x.
Acknowledgements
We would like to thank Martins Rumkovskis for finding and reporting this vulnerability.
At the same time we would like to remind our users that security related issues should be reported using our secu...@akka.io alias, such that we can prevent a vulnerability from being exploited while we work on a workaround or fix.
– The Lightbend Akka Team
Reply all
Reply to author
Forward
0 new messages