Dear hakkers, This is to announce the immediate availability of a security patch release, addressing a potential security issue with Java deserialization. An attacker that can connect to an ActorSystem exposed via Akka Remote over TCP can gain remote code execution capabilities in the context of the JVM process that runs the ActorSystem if:
- JavaSerializer is enabled (default in Akka 2.4.x) - and TLS is disabled or TLS is enabled with akka.remote.netty.ssl.security.require-mutual-authentication = false (which is still the default in Akka 2.4.x) - regardless of whether untrusted mode is enabled or not To protect against such attacks the system should be updated to Akka 2.4.17 and be configured with disabled Java serializer <http://doc.akka.io/docs/akka/2.4/scala/remoting.html#disable-java-serializer-scala>. Additional protection can be achieved when running in an untrusted network by enabling TLS with mutual authentication <http://doc.akka.io/docs/akka/2.4/scala/remoting.html#remote-tls-scala>. The vulnerability was brought to our attention by Alvaro Munoz & Adrian Bravo whom we'd like to thank for their thorough investigation and following our security process <http://doc.akka.io/docs/akka/2.4/security/index.html#Reporting_Vulnerabilities> . Further details are explained in security announcements section <http://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html> in the Akka documentation. The release also includes a few other improvements and bug fixes, such as: - Cluster Sharding with remember entities doesn’t recover properly after snapshot, #22246 <https://github.com/akka/akka/issues/22246> - Scala 2.12 serialization of Props, #22041 <https://github.com/akka/akka/issues/22041> - Improvements of header compression in Artery, #22139 <https://github.com/akka/akka/pull/22139> - Improvements of latency when inbound-lanes > 1 in Artery, #21365 <https://github.com/akka/akka/issues/21365> Credits A total 20 issues were closed since 2.4.16. The complete list of closed issues can be found on the 2.4.17 <https://github.com/akka/akka/milestone/101?closed=1> milestones on github. For this release we had the help of 9 committers – thank you all very much! Credits: commits added removed 7 125 21 Patrik Nordwall 5 228 89 Johannes Rudolph 4 1435 484 Konrad Malawski 3 82 8 Johan Andrén 2 119 5 Konrad Malawski 1 19 1 Damien Bailly 1 3 4 Kirill Plyashkevich 1 2 2 Jeroen Gordijn 1 1 1 IanGrima Happy hakking! – The Akka Team -- >>>>>>>>>> Read the docs: http://akka.io/docs/ >>>>>>>>>> Check the FAQ: >>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at https://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
