An attacker that can connect to an
ActorSystem exposed via Akka Remote over TCP can gain remote code execution
capabilities in the context of the JVM process that runs the ActorSystem if:
JavaSerializeris enabled (default in Akka 2.4.x)
akka.remote.netty.ssl.security.require-mutual-authentication = false(which is still the default in Akka 2.4.x)
untrustedmode is enabled or not
Java deserialization is known to be vulnerable to attacks when attacker can provide arbitrary types.
Akka Remoting uses Java serializer as default configuration which makes it vulnerable in its default form. The documentation of how to disable Java serializer was not complete. The documentation of how to enable mutual authentication was missing (only described in reference.conf).
To protect against such attacks the system should be updated to Akka 2.4.17 or later and be configured with disabled Java serializer. Additional protection can be achieved when running in an untrusted network by enabling @ref:TLS with mutual authentication.
Please subscribe to the akka-security mailing list to be notified promptly about future security issues.
The CVSS score of this vulnerability is 6.8 (Medium), based on vector AV:A/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:TF/RC:C.
Rationale for the score:
We have prepared patches for the affected versions, and have released the following versions which resolve the issue:
Binary and source compatibility has been maintained for the patched releases so the upgrade procedure is as simple as changing the library dependency.
It will also be fixed in 2.5-M2 or 2.5.0-RC1.
We would like to thank Alvaro Munoz at Hewlett Packard Enterprise Security & Adrian Bravo at Workday for their thorough investigation and bringing this issue to our attention.