In Akka 2.5.29, Netty 3.10.6-Final is added as dependency. And this version of Netty is impacted by vulnerabilities CVE-2019-16869, CVE-2019-20444 and CVE-2019-20445. Is there a solution provided by Akka to come out of this issue or is Akka not impacted by these vulnerabilities?
I think Akka is not impacted: Netty is only used by the classic TCP remoting, so if you switch to Artery I think you should be able to exclude the Netty dependency entirely.
Even if you do use classic remoting, those 3 CVEâs seem to be about HTTP features, while akka-remote only uses more low-level Netty features, so they wouldnât impact Akka anyway.
I would suggest updating to Akka 2.6 anyway, though 
1 Like
Thank you. Yeah we plan to step up to 2.6 but hesitating due to the fact that this version removes OSGi support and RSA cipher. Also, does the CVE on google protobuf CVE-2015-5237 impact Akka 2.5.29 ?
Actually weâve been planning to remove OSGi support for a while now (Remove OSGi support · Issue #28304 · akka/akka · GitHub) but havenât actually done it. Did you run into any problems?
Iâm not sure I know what change you are referring to here
Yes and no: protobuf is used for serializing messages that go from one cluster node to another. An attacker that can send cluster messages can cause trouble anyway, so you should secure the remoting port so attackers cannot access it. If you have successfully done that, an attacker cannot trigger the protobuf vulnerability anymore either.
When I meant RSA, I was referring to the following section of Akka documentation
# The Key setup this implementation supports has some limitations:
# 1. the private key must be provided on a PKCS#1 or a non-encrypted PKCS#8 PEM-formatted file
# 2. the private key must be be of an algorythm supported by akka-pki tools (e.g. âRSAâ, not âECâ)
# 3. the node certificate must be issued by a root CA (not an intermediate CA)
# 4. both the node and the CA certificates must be provided in PEM-formatted files
Thatâs a limitation of the ârotating keysâ feature, which was added in 2.6.6 - so you donât have that on 2.5 anyway?
Does the ârotating keysâ refer to dynamic loading of new certificates?
And, when you say 'planning to remove OSGi support, is there a alternate way decided for users of osgified Akka?
Yes, for Artery TCP (Allow certificate rotation on Artery TCP connections · Issue #29146 · akka/akka · GitHub)
See the ticket for details - weâd like to remove it from the main repo and there are some ideas on how to support it out-of-tree.
Hi, we tried updating to latest Akka version but reached an obstacle as mentioned in ticket Add OSGified version of akka-pki · Issue #5 · woq-blended/akka-osgi · GitHub
We tried all versions typesafe akka version from 2.6.6 till 2.6.16 and it prevails everywhere. Due to the mentioned OSGi problem with new akka pki jar, we are struck with update. Could you please check on that ?