TL;DR
SureCloud Cyber identified a denial of service (DoS) vulnerability in Akka-http prior to 10.2.6. An Akka-http application that is exposed to the Internet can be remotely crashed by sending a crafter User-Agent header leading to a loss of availability. At the moment of writing, there are around 10k Akka-http servers exposed on the Internet (according to Shodan.io – https://www.shodan.io/search?query=Server%3A+akka-http).
The following article aims to provide a technical overview of the identified vulnerability.
Test Environment
Akka is a free and open-source toolkit and runtime simplifying the construction of concurrent and distributed applications on the JVM. It is developed and maintained by Lightbend. The project’s URL is https://akka.io and it has more than 11k stars and 3k forks on GitHub (https://github.com/akka/akka).
The test environment used during the discovery was as follows:
- akka-http-quickstart-scala.g8 running on Java 11.0.12
- Scala sbt 1.5.5
- Scala 2.12.14
- akka-http 10.2.6
CVE-2021-42697 (DoS in akka-http)
The consultant observed that while parsing a request containing a `User-Agent` header with deeply nested comments, Akka HTTP may fail with a stack overflow in the parser. Stack overflows are handled as fatal errors in Akka leading to a complete shutdown of the application.
The malformed request that could cause the stack overflow error is:
Remediation
Starting from Akka 10.2.7, parsing of nested comments will be limited to a configurable maximum depth. All clients using the akka-http web technology are strongly advices to upgrade as soon as possible.
Disclosure Timeline:
- 13/10/2021: Bugs identified and details sent to Lightbend
- 14/10/2021: Vulnerability acknowledged by Lightbend
- 02/11/2021: Akka http 10.2.7 released
- 09/12/2021: This blog post published