SureCloud Cyber identified a denial of service (DoS) vulnerability in Akka-http prior to 10.2.6. An Akka-http application that is exposed to the Internet can be remotely crashed by sending a crafter User-Agent header leading to a loss of availability. At the moment of writing, there are around 10k Akka-http servers exposed on the Internet (according to Shodan.io – https://www.shodan.io/search?query=Server%3A+akka-http).
The following article aims to provide a technical overview of the identified vulnerability.
Akka is a free and open-source toolkit and runtime simplifying the construction of concurrent and distributed applications on the JVM. It is developed and maintained by Lightbend. The project’s URL is https://akka.io and it has more than 11k stars and 3k forks on GitHub (https://github.com/akka/akka).
The test environment used during the discovery was as follows:
The consultant observed that while parsing a request containing a `User-Agent` header with deeply nested comments, Akka HTTP may fail with a stack overflow in the parser. Stack overflows are handled as fatal errors in Akka leading to a complete shutdown of the application.
The malformed request that could cause the stack overflow error is:
Starting from Akka 10.2.7, parsing of nested comments will be limited to a configurable maximum depth. All clients using the akka-http web technology are strongly advices to upgrade as soon as possible.