Impact on Akka 2.5.29 due to Netty CVE-2019-20444/20445

In Akka 2.5.29, Netty 3.10.6-Final is added as dependency. And this version of Netty is impacted by vulnerabilities CVE-2019-16869, CVE-2019-20444 and CVE-2019-20445. Is there a solution provided by Akka to come out of this issue or is Akka not impacted by these vulnerabilities?

I think Akka is not impacted: Netty is only used by the classic TCP remoting, so if you switch to Artery I think you should be able to exclude the Netty dependency entirely.

Even if you do use classic remoting, those 3 CVE’s seem to be about HTTP features, while akka-remote only uses more low-level Netty features, so they wouldn’t impact Akka anyway.

I would suggest updating to Akka 2.6 anyway, though :slight_smile:

1 Like

Thank you. Yeah we plan to step up to 2.6 but hesitating due to the fact that this version removes OSGi support and RSA cipher. Also, does the CVE on google protobuf CVE-2015-5237 impact Akka 2.5.29 ?

Actually we’ve been planning to remove OSGi support for a while now (Remove OSGi support · Issue #28304 · akka/akka · GitHub) but haven’t actually done it. Did you run into any problems?

I’m not sure I know what change you are referring to here

Yes and no: protobuf is used for serializing messages that go from one cluster node to another. An attacker that can send cluster messages can cause trouble anyway, so you should secure the remoting port so attackers cannot access it. If you have successfully done that, an attacker cannot trigger the protobuf vulnerability anymore either.

When I meant RSA, I was referring to the following section of Akka documentation

# The Key setup this implementation supports has some limitations:
# 1. the private key must be provided on a PKCS#1 or a non-encrypted PKCS#8 PEM-formatted file
# 2. the private key must be be of an algorythm supported by akka-pki tools (e.g. “RSA”, not “EC”)
# 3. the node certificate must be issued by a root CA (not an intermediate CA)
# 4. both the node and the CA certificates must be provided in PEM-formatted files

That’s a limitation of the ‘rotating keys’ feature, which was added in 2.6.6 - so you don’t have that on 2.5 anyway?

Does the ‘rotating keys’ refer to dynamic loading of new certificates?
And, when you say 'planning to remove OSGi support, is there a alternate way decided for users of osgified Akka?

Yes, for Artery TCP (Allow certificate rotation on Artery TCP connections · Issue #29146 · akka/akka · GitHub)

See the ticket for details - we’d like to remove it from the main repo and there are some ideas on how to support it out-of-tree.