akka-actor has insecure defaults. An attacker can leverage an ActorSystem exposed over TCP to perform Java deserialization attacks. By default Java deserialization is enabled and the documentation wasn’t complete on how to disable the function.These attacks can be performed if the ActorSystem has JavaSerializer
enabled, if TLS is disabled or is enabled through akka.remote.netty.ssl.security.require-mutual-authentication = false
, or if TLS is enabled with mutual authentication and a set of authentication keys for a host have been compromised.
CPE | Name | Operator | Version |
---|---|---|---|
akka-actor | eq | 2.5-M1 | |
akka-actor | le | 2.4.16 | |
akka-actor | eq | 2.5-M1 | |
akka-actor | le | 2.4.16 | |
akka-remote | eq | 2.5-M1 | |
akka-remote | le | 2.4.16 |