We are using the latest v2.6 akka-cluster , akka-actor and akka-remote (Artery) modules in our application.
We don’t use LazyList in our application, but I am not sure if akka really uses it.
So I am trying to understand if there is an impact of CVE-2022-36944 on these akka modules.
Any help would be greatly appreciated !!!
Thanks in advance !!!
LazyList is not used in any of the Akka modules as a message, but if:
- Your application uses Java serialization for your messages (disabled by default since Akka 2.6.0 and not recommended)
and you use LazyList as a message itself or a field in your messages sent between nodes and configured to allow deserializing with Java serialization (a relatively strange/unlikely type to use as messages)
and have a cluster where an untrusted part would be allowed to connect to the cluster/Akka Remoting ports (also not recommended)
you could be at risk.
Making sure to update to Scala 2.13.9 seems like a good idea regardless.
Thank you johanandren. It was really helpful.
We dont use LazyList in our application either. Nevertheless, we are planning to update to scala-library 2.13.9.
But i see scala-library 2.13.8 as the compile dependency for these akka modules. To let force 2.13.9 I can override this dependency in our application pom.xml. But is this a recommended option? If not, will there be a new akka version released to use the scala-library 2.13.9?
This is generally correct, but I would argue one point here.
The application does not need to be using LazyList at all. Any object being deserialized with Java deserialization when a vulnerable version of Scala is on the classpath is vulnerable.
This is because the expected object can be substituted with a serialized LazyList object, leading to the gadget chain.
I am attempting to work with Mitre to update the language in the description to reflect this.
However, as noted, it is still required that Java deserialization is being used and the object is able to be controlled by the attacker. Neither of these should normally be happening regardless of this vulnerability.
Source: I am the researcher who discovered the gadget chain.
Thanks for clarifying @marcbohler
Bumping the dependency in your own project without a new Akka release should be no problem @gwaskarthik
Given that we do not recommend Java serialization at all I’m not sure we will do a 2.6 release just for the Scala upgrade however the upcoming Akka 2.7 will definitely bump Scala to 2.13.9
Thank you very much @marcbohler and @johanandren for the clear explanation and support.
We will now update our scala version to 2.13.9.