AIKIDO-2024-10491
akka-actor_2.13 is vulnerable to Denial of Service (DoS)
75
High Risk
This Affects:
akka-actor_2.13TL;DR
In Lightbend Akka versions prior to 2.8.1, the async-dns resolver (used by Akka Discovery in DNS mode and transitively by Akka Cluster Bootstrap) generates predictable DNS transaction IDs, making DNS resolution vulnerable to poisoning attacks. An attacker can forge DNS responses with matching transaction IDs, redirecting traffic to malicious endpoints. If the application does not validate the authenticity of discovered services (e.g., via TLS), this can lead to data exfiltration, such as persistence events being published to an unintended Kafka broker. If validation is in place, the attack results in a denial of access to the intended service.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
akka-actor_2.13 is vulnerable to Denial of Service (DoS) in versions 2.0 - 2.8.0.
How to fix this
Upgrade the com.typesafe.akka:akka-actor library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant