TL;DR

SureCloud Cyber identified a denial of service (DoS) vulnerability in Akka-http prior to 10.2.6. An Akka-http application that is exposed to the Internet can be remotely crashed by sending a crafter User-Agent header leading to a loss of availability. At the moment of writing, there are around 10k Akka-http servers exposed on the Internet (according to Shodan.io – https://www.shodan.io/search?query=Server%3A+akka-http).

The following article aims to provide a technical overview of the identified vulnerability.

Test Environment

Akka is a free and open-source toolkit and runtime simplifying the construction of concurrent and distributed applications on the JVM. It is developed and maintained by Lightbend. The project’s URL is https://akka.io and it has more than 11k stars and 3k forks on GitHub (https://github.com/akka/akka).

The test environment used during the discovery was as follows:

• - akka-http-quickstart-scala.g8 running on Java 11.0.12
• - Scala sbt 1.5.5
• - Scala 2.12.14
• - akka-http 10.2.6

CVE-2021-42697 (DoS in akka-http)

The consultant observed that while parsing a request containing a `User-Agent` header with deeply nested comments, Akka HTTP may fail with a stack overflow in the parser. Stack overflows are handled as fatal errors in Akka leading to a complete shutdown of the application.

The malformed request that could cause the stack overflow error is:

Remediation

Starting from Akka 10.2.7, parsing of nested comments will be limited to a configurable maximum depth. All clients using the akka-http web technology are strongly advices to upgrade as soon as possible.

Disclosure Timeline:

• - 13/10/2021: Bugs identified and details sent to Lightbend
• - 14/10/2021: Vulnerability acknowledged by Lightbend
• - 02/11/2021: Akka http 10.2.7 released
• - 09/12/2021: This blog post published

Would you like to talk to us and find out more about our services?

Please fill in the form below and one of the team will get in touch.