Headline
CVE-2021-42697: Stack overflow while parsing User-Agent header with deeply nested comments • Akka HTTP
Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.
Date
2021-11-02
CVE
CVE-2021-42697
Description of Vulnerability
The HTTP specification allows arbitrary nesting of comment elements in User-Agent and other headers. While parsing a request containing a User-Agent header with deeply nested comments, Akka HTTP may fail with a stack overflow in the parser. Stack overflows are handled as fatal errors in Akka leading to a complete shutdown of the application.
Severity
Based on our assessment, the CVSS score of this vulnerability is 6.7, based on vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C).
Impact
An Akka HTTP application server which is exposed to the internet can be remotely crashed by sending a crafted User-Agent header leading to a loss of availability.
Resolution
Starting from Akka HTTP 10.2.7, parsing of nested comments will be limited to a configurable maximum depth. See akka.http.parsing.max-comment-parsing-depth in the configuration for more information. The default value for that setting is currently conservatively set to 5.
Workaround
Set akka.http.server.parsing.modeled-header-parsing = off to avoid parsing headers to models. In this case, Akka HTTP will report most headers as RawHeaders. This will likely have consequences for downstream user code which expects headers to be already parsed.
Affected versions
- All akka-http versions prior to 10.2.6
Fixed versions
- akka-http 10.2.7, 10.1.15
Acknowledgements
Thanks, Simone Quatrini of SureCloud, for bringing this issue to our attention.
References
- #3918
Found an error in this documentation? The source code for this page can be found here. Please feel free to edit and contribute a pull request.