Lucene search
Veracode Vulnerability DatabaseVERACODE:4577HistoryJul 17, 2017 - 4:39 p.m.
Insecure Defaults
2017-07-1716:39:26
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
6
0.043 Low
EPSS
Percentile
92.3%
akka-actor has insecure defaults. An attacker can leverage an ActorSystem exposed over TCP to perform Java deserialization attacks. By default Java deserialization is enabled and the documentation wasn’t complete on how to disable the function.These attacks can be performed if the ActorSystem has JavaSerializer enabled, if TLS is disabled or is enabled through akka.remote.netty.ssl.security.require-mutual-authentication = false, or if TLS is enabled with mutual authentication and a set of authentication keys for a host have been compromised.
| CPE | Name | Operator | Version |
|---|---|---|---|
| akka-actor | eq | 2.5-M1 | |
| akka-actor | le | 2.4.16 | |
| akka-actor | eq | 2.5-M1 | |
| akka-actor | le | 2.4.16 | |
| akka-remote | eq | 2.5-M1 | |
| akka-remote | le | 2.4.16 |
Related
redhatcve
redhatcve
CVE-2017-1000034
2017-08-24 15:48:34
osv
osv
Akka Java Serialization vulnerability
2018-10-22 20:52:38
CVE-2017-1000034
2017-07-17 13:18:17
cve
cve
CVE-2017-1000034
2017-07-17 13:18:17
prion
prion
Deserialization of untrusted data
2017-07-17 13:18:00
ibm
ibm
github
github
Akka Java Serialization vulnerability
2018-10-22 20:52:38
nvd
nvd
CVE-2017-1000034
2017-07-17 13:18:17
cvelist
cvelist
CVE-2017-1000034
2017-07-13 20:00:00