CVE-2017-1000034 (High) detected in multiple libraries - autoclosed #404

mend-for-github.lhy31512.workers.dev · 2021-11-03T13:12:19Z

CVE-2017-1000034 - High Severity Vulnerability

Vulnerable Libraries - akka-actor_2.11-2.3.14.jar, akka-actor_2.11-2.3.13.jar, akka-actor_2.11-2.3.2.jar, akka-actor_2.11-2.3.4.jar, akka-actor_2.11-2.3.11.jar, akka-actor_2.11-2.4.2.jar

akka-actor_2.11-2.3.14.jar

akka-actor

Library home page: http://akka.io/

Path to dependency file: /dd-java-agent/instrumentation/spray-1.3/spray-1.3.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/com.typesafe.akka/akka-actor_2.11/2.3.14/1c5fe519aae8739be32001ace0dee7a6834d3942/akka-actor_2.11-2.3.14.jar

Dependency Hierarchy:

❌ akka-actor_2.11-2.3.14.jar (Vulnerable Library)

akka-actor_2.11-2.3.13.jar

akka-actor

Library home page: http://akka.io/

Path to dependency file: /dd-smoke-tests/play-2.4/play-2.4.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.akka/akka-actor_2.11/2.3.13/2d3611639ec786bd963709f210cb9c5cf7cd985e/akka-actor_2.11-2.3.13.jar

Dependency Hierarchy:

play_2.11-2.4.11.jar (Root Library)
- ❌ akka-actor_2.11-2.3.13.jar (Vulnerable Library)

akka-actor_2.11-2.3.2.jar

akka-actor

Library home page: http://akka.io/

Path to dependency file: /dd-java-agent/instrumentation/akka-init/akka-init.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/com.typesafe.akka/akka-actor_2.11/2.3.2/27c4ed3e33dcd030e138c2c02fc68e84a41bbb36/akka-actor_2.11-2.3.2.jar

Dependency Hierarchy:

❌ akka-actor_2.11-2.3.2.jar (Vulnerable Library)

akka-actor_2.11-2.3.4.jar

akka-actor

Library home page: http://akka.io/

Path to dependency file: /dd-java-agent/instrumentation/play-2.3/play-2.3.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.akka/akka-actor_2.11/2.3.4/a6503e1dd0c91ee793517a7b07747ad2c3341848/akka-actor_2.11-2.3.4.jar

Dependency Hierarchy:

play-java-ws_2.11-2.3.10.jar (Root Library)
- play_2.11-2.3.10.jar
  - ❌ akka-actor_2.11-2.3.4.jar (Vulnerable Library)

akka-actor_2.11-2.3.11.jar

akka-actor

Library home page: http://akka.io/

Path to dependency file: /dd-java-agent/instrumentation/play-2.4/play-2.4.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.akka/akka-actor_2.11/2.3.11/5a3da894879253c96950d8b9687ad72a1400bbf4/akka-actor_2.11-2.3.11.jar

Dependency Hierarchy:

play_2.11-2.4.0.jar (Root Library)
- ❌ akka-actor_2.11-2.3.11.jar (Vulnerable Library)

akka-actor_2.11-2.4.2.jar

akka-actor

Library home page: http://akka.io/

Path to dependency file: /dd-java-agent/instrumentation/play-2.4/play-2.4.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.akka/akka-actor_2.11/2.4.2/dae4f1a7ddfd0a14361f1a5ac79d19b4ad68712b/akka-actor_2.11-2.4.2.jar

Dependency Hierarchy:

play-java_2.11-2.5.0.jar (Root Library)
- play_2.11-2.5.0.jar
  - ❌ akka-actor_2.11-2.4.2.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.

Publish Date: 2017-07-17

URL: CVE-2017-1000034

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000034

Release Date: 2017-07-13

Fix Resolution (com.typesafe.akka:akka-actor_2.11): 2.4.11.2

Direct dependency fix Resolution (com.typesafe.play:play_2.11): 2.5.10

Fix Resolution (com.typesafe.akka:akka-actor_2.11): 2.4.11.2

Direct dependency fix Resolution (com.typesafe.play:play-java-ws_2.11): 2.5.10

Fix Resolution (com.typesafe.akka:akka-actor_2.11): 2.4.11.2

Direct dependency fix Resolution (com.typesafe.play:play_2.11): 2.5.10

Fix Resolution (com.typesafe.akka:akka-actor_2.11): 2.4.11.2

Direct dependency fix Resolution (com.typesafe.play:play-java_2.11): 2.5.10

⛑️ Automatic Remediation is available for this issue

mend-for-github.lhy31512.workers.dev bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Nov 3, 2021

This was referenced Apr 18, 2022

Update dependency com.typesafe.play:play_2.11 - autoclosed #514

Closed

Update dependency com.typesafe.play:play-java_2.11 to v2.6.0-M1 - autoclosed #531

Closed

This was referenced May 5, 2022

Update dependency com.typesafe.play:play_2.11 - abandoned #584

Open

Update dependency com.typesafe.play:play-java_2.11 to v2.6.0 - abandoned #601

Open

mend-for-github.lhy31512.workers.dev bot mentioned this issue Mar 27, 2023

Update dependency com.typesafe.akka:akka-actor_2.11 - autoclosed #736

Closed

1 task

mend-for-github.lhy31512.workers.dev bot changed the title ~~CVE-2017-1000034 (High) detected in multiple libraries~~ CVE-2017-1000034 (High) detected in multiple libraries - autoclosed Jun 20, 2023

mend-for-github.lhy31512.workers.dev bot closed this as completed Jun 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2017-1000034 (High) detected in multiple libraries - autoclosed #404

CVE-2017-1000034 (High) detected in multiple libraries - autoclosed #404

mend-for-github.lhy31512.workers.dev bot commented Nov 3, 2021 •

edited

Loading

CVE-2017-1000034 (High) detected in multiple libraries - autoclosed #404

CVE-2017-1000034 (High) detected in multiple libraries - autoclosed #404

Comments

mend-for-github.lhy31512.workers.dev bot commented Nov 3, 2021 • edited Loading

CVE-2017-1000034 - High Severity Vulnerability

mend-for-github.lhy31512.workers.dev bot commented Nov 3, 2021 •

edited

Loading