From the creators of Akka, get technology enhancements, monitoring, and expert support with Akka Platform from Lightbend. Learn More

News & Articles

Full archive

February 24

2021

Akka HTTP 10.2.4 / 10.1.14 Released

Dear hakkers,

We are happy to announce the 10.2.4 and 10.1.14 releases of Akka HTTP. This release is a security fix release.

Changes

These releases fix CVE-2021-23339, a vulnerability regarding interpretation of Transfer-Encoding headers. See Incorrect Handling Of Transfer-Encoding Header for more information.

The vulnerability cannot be exploited using just Akka HTTP itself. Instead, Akka HTTP must be used as a proxy and the downstream server must be vulnerable itself, so that the proxy and the downstream server disagree on how to interpret a malformed request containing both Transfer-Encoding and Content-Length headers potentially leading to a “Request Smuggling” vulnerability. If you are using Akka HTTP as a reverse proxy, make sure to upgrade to the latest version.

Starting from this version, only a single Transfer-Encoding: chunked header is allowed. HTTP/1.1 specifies other encodings, however, those are not supported or implemented in Akka HTTP. Formerly, Akka HTTP would just pass on unsupported Transfer-Encoding headers to the user which lead to the above security issue. Since Akka HTTP implements the “Transfer” part of the protocol, it seems reasonable to lock down allowed values for Transfer-Encoding to prevent security issues like this. Please let us know if this leads to compatibility problems with your software.

Credits

The complete list of closed issues can be found on the 10.2.4 and 10.1.14 milestones on GitHub. For this release we had the help of 9 contributors – thank you all very much!

commits  added  removed
      4    154       96 Johan Andrén
      3     82       12 Johannes Rudolph
      2    966      967 Nitika Agarwal
      1    171        4 Arman Bilge
      1      0       10 Sathiya
      1      5        0 Ignasi Marimon-Clos

Akka by Lightbend

The Akka core team is employed by Lightbend. If you’re looking to take your Akka systems to the next level, let’s set up a time to discuss our enterprise-grade expert support, self-paced education courses, and technology enhancements that help you manage, monitor and secure your Akka systems - from development to production.

Happy hakking!

– The Akka Team