FREE Training Courses — 100+ Hours of Akka and Reactive Architecture Expertise Get Started
 

Denial-of-Service by stream leak on unconsumed closed connections

Date

2017-01-23

Description of Vulnerability

For requests containing request bodies (including request methods which would normally include entities like GET requests), a mistake in completion handling of a connection could lead to memory leaking after the connection had been closed before the entity was consumed. This may eventually lead to a failure of the system due to being out of memory.

Please subscribe to the akka-security mailing list to be notified promptly about future security issues.

Severity

The CVSS score of this vulnerability is 6.4 (Medium), based on vector AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C.

Affected Versions

Fixed Versions

We have prepared patches for the affected versions, and have released the following versions which resolve the issue:

The patched releases contain no other changes except the single patch that addresses the memory leak vulnerability. Binary and source compatibility has been maintained so the upgrade procedure is as simple as changing the library dependency.

Additional Important Information

Note that Play and Lagom applications are not impacted by this vulnerability, regardless of whether they are using the Akka HTTP backend or the Netty backend.

If you have any questions or need any help, please contact [email protected].

Acknowledgements

We would like to thank Dmitry Kolesnikov & Lari Hotari for their thorough investigation and bringing this issue to our attention.