Dear hakkers,
We are happy to announce the 10.1.15 release of Akka HTTP. This release is an important security fix release. Note, that we do not plan any further releases for 10.1.x, so please consider upgrading soon to the latest supported release line, 10.2.x.
This release fixes CVE-2021-42697, a parsing problem that can lead to a remotely forced shutdown of an Akka HTTP server. See Stack overflow while parsing User-Agent header with deeply nested comments for more information.
Thanks to Simone Quatrini from SureCloud who responsibly disclosed this problem to us.
Another issue has been fixed in relation to header rendering (#3717). Akka HTTP does not validate that header values (or keys) are well-formed when those are provided as Strings (e.g. in a RawHeader). In particular, HTTP headers are not allowed
to contain the special characters '\r' or '\n' which are used to delineate headers in an HTTP message. Before 10.2.7, Akka HTTP would naively render those broken header values leading to broken HTTP messages. The generation of headers is usually in complete control of the application. However, an application may accidentally pass incoming unvalidated user data to response headers. In such a case, a remote user might be able to inject line terminators into the response headers leading to invalid or misleading HTTP response messages. Depending on the server setup, this can be a building block for
severe attacks.
To mitigate this issue, Akka HTTP now discards outgoing headers containing line terminators and logs a warning. Users are encouraged to be on the watch when creating headers (or any kind of outgoing data) from unvalidated user input as this is a common vector for different kinds of attacks.
A few smaller issues have been backported as well, see below.
Please update as soon as possible.
Please subscribe to https://groups.google.com/g/akka-security to receive high-importance, low-frequency updates about security issues in Akka projects. Security issues can be reported to security@lightbend.com.
Changes
akka-http-core
- Discard outgoing headers containing line breaks #3922
- Limit comment nesting in header parser #3941
- Add pool keep-alive-timeout #3816
- Don’t send ‘100 Continue’ if ‘Content-Length’ header is 0, doesn’t exist or data got send early #3787
- Update to Scala 2.13.7 #3945
- Fix MessageSpec with higher test.timefactor values #3880
Credits
The complete list of closed issues can be found on the 10.1.15 milestone
on GitHub.
For this release we had the help of 3 contributors – thank you all very much!
commits added removed
15 729 288 Johannes Rudolph
1 123 0 Matthias Kurz
1 1 0 Johan Andrén
Akka by Lightbend
The Akka core team is employed by Lightbend. If you’re looking to take your Akka systems to the next level, let’s set up a time to discuss our enterprise-grade expert support, self-paced education courses, and technology enhancements that help you manage, monitor and secure your Akka systems - from development to production.
Happy hakking!
– The Akka Team