Akka HTTP 10.2.7 Released with Security Fix

Dear hakkers,

We are happy to announce the 10.2.7 release of Akka HTTP. This release is an important security fix release.

This release fixes CVE-2021-42697, a parsing problem that can lead to a remotely forced shutdown of an Akka HTTP server. See Stack overflow while parsing User-Agent header with deeply nested comments for more information.

Thanks to Simone Quatrini from SureCloud who responsibly disclosed this problem to us.

Another issue has been fixed in relation to header rendering (#3717). Akka HTTP does not validate that header values (or keys) are well-formed when those are provided as Strings (e.g. in a RawHeader ). In particular, HTTP headers are not allowed to contain the special characters '\r' or '\n' which are used to delineate headers in an HTTP message. Before 10.2.7, Akka HTTP would naively render those broken header values leading to broken HTTP messages. The generation of headers is usually in complete control of the application. However, an application may accidentally pass incoming unvalidated user data to response headers. In such a case, a remote user might be able to inject line terminators into the response headers leading to invalid or misleading HTTP response messages. Depending on the server setup, this can be a building block for severe attacks.

To mitigate this issue, Akka HTTP now discards outgoing headers containing line terminators and logs a warning. Users are encouraged to be on the watch when creating headers (or any kind of outgoing data) from unvalidated user input as this is a common vector for different kinds of attacks.

Please update as soon as possible.

Please subscribe to https://groups.google.com/g/akka-security to receive high-importance, low-frequency updates about security issues in Akka projects. Security issues can be reported to security@lightbend.com.

Changes

akka-http-core

  • Limit comment nesting in header parser#3924
  • Discard outgoing headers containing line breaks #3922
  • Avoid calling numConnectedSlots when possible #3904
  • Simplify HeaderCompression #3871
  • End HTTP/2 stream with empty DATA rather than empty HEADERS #3913

Credits

The complete list of closed issues can be found on the 10.2.7 milestone on GitHub. For this release we had the help of 4 contributors – thank you all very much!

commits  added  removed
     10    393       84 Johannes Rudolph
      2     45        1 Arnout Engelen
      1     25       25 Matt Kohl
      1      2        1 brharrington

Akka by Lightbend

The Akka core team is employed by Lightbend. If you’re looking to take your Akka systems to the next level, let’s set up a time to discuss our enterprise-grade expert support, self-paced education courses, and technology enhancements that help you manage, monitor and secure your Akka systems - from development to production.

Happy hakking!

– The Akka Team

1 Like