Vulnerabilities > CVE-2017-1000034 - Deserialization of Untrusted Data vulnerability in Akka

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

akka

CWE-502

critical

NVD

Published: 2017-07-17

Updated: 2017-08-04

Summary

Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.

Vulnerable Configurations

Part	Description	Count
Application	Akka Akka Akka 0.5 Akka Akka 0.6 Akka Akka 0.7 Akka Akka 0.7.1 Akka Akka 0.8 Akka Akka 0.8.1 Akka Akka 0.9 Akka Akka 0.9.1 Akka Akka 0.10 Akka Akka 1.0 Akka Akka 1.1 Akka Akka 1.1.1 Akka Akka 1.1.2 Akka Akka 1.1.3 Akka Akka 1.2 Akka Akka 1.3 Akka Akka 1.3.1 Akka Akka 2.0 Akka Akka 2.0.1 Akka Akka 2.0.2 Akka Akka 2.0.3 Akka Akka 2.0.4 Akka Akka 2.0.5 Akka Akka 2.1.0 Akka Akka 2.1.1 Akka Akka 2.1.2 Akka Akka 2.1.3 Akka Akka 2.1.4 Akka Akka 2.2.0 Akka Akka 2.2.1 Akka Akka 2.2.2 Akka Akka 2.2.3 Akka Akka 2.2.4 Akka Akka 2.2.5 Akka Akka 2.3.0 Akka Akka 2.3.1 Akka Akka 2.3.2 Akka Akka 2.3.3 Akka Akka 2.3.4 Akka Akka 2.3.5 Akka Akka 2.3.6 Akka Akka 2.3.7 Akka Akka 2.3.8 Akka Akka 2.3.9 Akka Akka 2.3.10 Akka Akka 2.3.11 Akka Akka 2.3.12 Akka Akka 2.3.13 Akka Akka 2.3.15 Akka Akka 2.3.16 Akka Akka 2.4.0 Akka Akka 2.4.1 Akka Akka 2.4.2 Akka Akka 2.4.3 Akka Akka 2.4.4 Akka Akka 2.4.5 Akka Akka 2.4.6 Akka Akka 2.4.7 Akka Akka 2.4.8 Akka Akka 2.4.9 Akka Akka 2.4.10 Akka Akka 2.4.11 Akka Akka 2.4.11.1 Akka Akka 2.4.12 Akka Akka 2.4.13 Akka Akka 2.4.14 Akka Akka 2.4.15 Akka Akka 2.4.16 Akka Akka 2.5	69

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

http://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html