Dear hakkers,
We are happy to announce the 10.2.4 and 10.1.14 releases of Akka HTTP. This release is a security fix release.
Changes
These releases fix CVE-2021-23339, a vulnerability regarding interpretation of Transfer-Encoding
headers. See
Incorrect Handling Of Transfer-Encoding Header for more information.
The vulnerability cannot be exploited using just Akka HTTP itself. Instead, Akka HTTP must be used as a proxy and the downstream server must be vulnerable itself, so
that the proxy and the downstream server disagree on how to interpret a malformed request containing both Transfer-Encoding
and Content-Length
headers potentially
leading to a “Request Smuggling” vulnerability. If you are using Akka HTTP as a reverse proxy, make sure to upgrade to the latest version.
Starting from this version, only a single Transfer-Encoding: chunked
header is allowed. HTTP/1.1 specifies other encodings, however, those are not supported or
implemented in Akka HTTP. Formerly, Akka HTTP would just pass on unsupported Transfer-Encoding
headers to the user which lead to the above security issue. Since
Akka HTTP implements the “Transfer” part of the protocol, it seems reasonable to lock down allowed values for Transfer-Encoding
to prevent security issues like this.
Please let us know if this leads to compatibility problems with your software.
Credits
The complete list of closed issues can be found on the 10.2.4 and 10.1.14 milestones on GitHub. For this release we had the help of 9 contributors – thank you all very much!
commits added removed
4 154 96 Johan Andrén
3 82 12 Johannes Rudolph
2 966 967 Nitika Agarwal
1 171 4 Arman Bilge
1 0 10 Sathiya
1 5 0 Ignasi Marimon-Clos
Akka by Lightbend
The Akka core team is employed by Lightbend. If you’re looking to take your Akka systems to the next level, let’s set up a time to discuss our enterprise-grade expert support, self-paced education courses, and technology enhancements that help you manage, monitor and secure your Akka systems - from development to production.
Happy hakking!
– The Akka Team