In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service. This affects Akka 2.5.14 through 2.8.0, and Akka Discovery through 2.8.0.
CVE-2023-31442 - High Severity Vulnerability
akka-actor_2.12-2.5.16.jar
akka-actor
Library home page: http://akka.io/
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/com.typesafe.akka/akka-actor_2.12/jars/akka-actor_2.12-2.5.16.jar
Dependency Hierarchy: - akka-stream_2.12-2.5.16.jar (Root Library) - :x: **akka-actor_2.12-2.5.16.jar** (Vulnerable Library)
akka-actor_2.12-2.6.12.jar
Akka is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala.
Library home page: https://akka.io/
Dependency Hierarchy: - :x: **akka-actor_2.12-2.6.12.jar** (Vulnerable Library)
Found in HEAD commit: 0879348474e22463e77dc76ba5e5f7e6300a2b6c
Found in base branch: master
In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service. This affects Akka 2.5.14 through 2.8.0, and Akka Discovery through 2.8.0.
Publish Date: 2023-05-11
URL: CVE-2023-31442
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-31442
Release Date: 2023-05-11
Fix Resolution: com.typesafe.akka:akka-actor:2.8.1
Step up your Open Source Security Game with Mend here