CVE-2017-1000034 (High) detected in akka-actor_2.11-2.3.13.jar

[mend-for-github-com[bot]]

CVE-2017-1000034 - High Severity Vulnerability

Vulnerable Library - akka-actor_2.11-2.3.13.jar

akka-actor

Library home page: http://akka.io/

Path to dependency file: /samples/client/petstore/java/retrofit2-play24/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.akka/akka-actor_2.11/2.3.13/2d3611639ec786bd963709f210cb9c5cf7cd985e/akka-actor_2.11-2.3.13.jar

Dependency Hierarchy:

• play-java-ws_2.11-2.4.11.jar (Root Library)
  • play_2.11-2.4.11.jar
    • :x: akka-actor_2.11-2.3.13.jar (Vulnerable Library)

Found in HEAD commit: 4b7a8d7d7384aa6a27d6309c35ade0916edae7ed

Found in base branches: 3.0.0, master

Vulnerability Details

Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.

Publish Date: 2017-07-17

URL: CVE-2017-1000034

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000034

Release Date: 2017-07-17

Fix Resolution (com.typesafe.akka:akka-actor_2.11): 2.4.11.2

Direct dependency fix Resolution (com.typesafe.play:play-java-ws_2.11): 2.5.10

---

• [ ] Check this box to open an automated fix PR