LazyList is not used in any of the Akka modules as a message, but if:
Your application uses Java serialization for your messages (disabled by default since Akka 2.6.0 and not recommended)
and you use LazyList as a message itself or a field in your messages sent between nodes and configured to allow deserializing with Java serialization (a relatively strange/unlikely type to use as messages)
and have a cluster where an untrusted part would be allowed to connect to the cluster/Akka Remoting ports (also not recommended)
you could be at risk.
Making sure to update to Scala 2.13.9 seems like a good idea regardless.
We dont use LazyList in our application either. Nevertheless, we are planning to update to scala-library 2.13.9.
But i see scala-library 2.13.8 as the compile dependency for these akka modules. To let force 2.13.9 I can override this dependency in our application pom.xml. But is this a recommended option? If not, will there be a new akka version released to use the scala-library 2.13.9?
This is generally correct, but I would argue one point here.
The application does not need to be using LazyList at all. Any object being deserialized with Java deserialization when a vulnerable version of Scala is on the classpath is vulnerable.
This is because the expected object can be substituted with a serialized LazyList object, leading to the gadget chain.
I am attempting to work with Mitre to update the language in the description to reflect this.
However, as noted, it is still required that Java deserialization is being used and the object is able to be controlled by the attacker. Neither of these should normally be happening regardless of this vulnerability.
Source: I am the researcher who discovered the gadget chain.
Bumping the dependency in your own project without a new Akka release should be no problem @gwaskarthik
Given that we do not recommend Java serialization at all I’m not sure we will do a 2.6 release just for the Scala upgrade however the upcoming Akka 2.7 will definitely bump Scala to 2.13.9