Akka 2.4.17 Security Patch Released!
February 10 2017
Patrik Nordwall

Dear hakkers,

This is to announce the immediate availability of a security patch release, addressing a potential security issue with Java deserialization. An attacker that can connect to an ActorSystem exposed via Akka Remote over TCP can gain remote code execution capabilities in the context of the JVM process that runs the ActorSystem if:

  • JavaSerializer is enabled (default in Akka 2.4.x)
  • and TLS is disabled or TLS is enabled with akka.remote.netty.ssl.security.require-mutual-authentication = false (which is still the default in Akka 2.4.x)
  • or if TLS is enabled with mutual authentication and the authentication keys of a host that is allowed to connect have been compromised, an attacker gained access to a valid certificate (e.g. by compromising a node with certificates issued by the same internal PKI tree to get access of the certificate)
  • regardless of whether untrusted mode is enabled or not

To protect against such attacks the system should be updated to Akka 2.4.17 and be configured with disabled Java serializer. Additional protection can be achieved when running in an untrusted network by enabling TLS with mutual authentication.

The vulnerability was brought to our attention by Alvaro Munoz at Hewlett Packard Enterprise Security & Adrian Bravo at Workday whom we’d like to thank for their thorough investigation and following our security process.

Further details are explained in security announcements section in the Akka documentation.

The release also includes a few other improvements and bug fixes, such as:

  • Cluster Sharding with remember entities doesn’t recover properly after snapshot, #22246
  • Scala 2.12 serialization of Props, #22041
  • Improvements of header compression in Artery, #22139
  • Improvements of latency when inbound-lanes > 1 in Artery, #21365

Credits

A total 20 issues were closed since 2.4.16.

The complete list of closed issues can be found on the 2.4.17 milestones on github.

For this release we had the help of 9 committers – thank you all very much!

Credits:
commits  added  removed
      7    125       21 Patrik Nordwall
      6   1554      489 Konrad Malawski
      5    228       89 Johannes Rudolph
      3     82        8 Johan Andrén
      1     19        1 Damien Bailly
      1      3        4 Kirill Plyashkevich
      1      2        2 Jeroen Gordijn
      1      1        1 IanGrima

Happy hakking!

– The Akka Team

Past News Items
May 03 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce Akka Http 10.0.6, which is the sixth release of the Akka Http 10.0 series. It contains an...
May 02 2017
Dear hakkers, we—the Akka committers—are proud to announce Akka 2.5.1, which is the first maintenance release of Akka 2.5. Some notable improvements and bug fixes are: * Limiting the number...
May 02 2017
Dear hakkers, We are proud to announce Akka 2.4.18, which is another maintenance release of Akka 2.4. Some notable improvements and bug fixes are: * Limiting number of concurrent PersistentActor...
Apr 13 2017
Dear hakkers, we—the Akka committers—are proud to be able to announce the availability of Akka 2.5.0. Since the release of Akka 2.4.0 (already 18 months ago) we have incrementally added...
Mar 30 2017
Dear hakkers, we—the Akka committers—are pleased to be able to announce the availability of Akka 2.5.0-RC2 (SECOND RELEASE CANDIDATE). This is what we intend to ship as 2.5.0 final unless...
Mar 17 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce Akka Http 10.0.5, which is the fifth maintenance release of the Akka Http 10.0 series. It is...
Mar 17 2017
Dear hakkers, we—the Akka committers—are proud to be able to announce the availability of Akka 2.5.0-RC1 (FIRST RELEASE CANDIDATE). Since the release of Akka 2.4.0 (already 18 months ago) we...
Feb 24 2017
Dear hakkers, we—the Akka committers—proudly present the second development milestone for Akka 2.5. Since the release of Akka 2.4.0 (already 17 months ago) we have incrementally added many new features...