Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2018-8292 on Akka.Streams and Akka.Remote #7191

Closed
3 tasks done
Arkatufus opened this issue May 21, 2024 · 5 comments
Closed
3 tasks done

CVE-2018-8292 on Akka.Streams and Akka.Remote #7191

Arkatufus opened this issue May 21, 2024 · 5 comments
Labels
akka-remote akka-streams
Milestone
1.5.22

Comments

@Arkatufus
Copy link
Contributor

Arkatufus commented May 21, 2024
edited
Loading

CVE report: https://nvd.nist.gov/vuln/detail/cve-2018-8292

Currently, Akka.Streams and Akka.Remote are affected by this CVE due to transitive dependencies to System.Net.Http and Reactive.Streams. Note that anything that references .NET Standard 1.6 will be affected by this CVE.

Things that need to be done to correct this:

  • Fork the defunct Reactive.Streams repo into akkadotnet repo
  • Modernize the forked Reactive.Streams repo
  • Update Akka.Remote Dotnetty reference to 0.7.6
@Arkatufus Arkatufus mentioned this issue May 21, 2024
Open
5 tasks
@Aaronontheweb
Copy link
Member

FWIW, this is a dumb CVE that doesn't even have any real exposure in Akka.NET - it all stems from calls in System.Net.Http, which we don't use anywhere in the framework.

@Aaronontheweb Aaronontheweb added this to the 1.5.21 milestone May 22, 2024
@Aaronontheweb
Copy link
Member

What blows my mind is that CodeQL hasn't even detected on this on any of the hundreds of PRs its scanned since this CVE was filed - guess it's because we're not adding it in a new PR?

@Arkatufus
Copy link
Contributor Author

Probably because CodeQL only scans the dependency graph 1 layer deep, it doesn't do a full dependency graph scan.

@Arkatufus Arkatufus mentioned this issue May 23, 2024
Merged
@Aaronontheweb Aaronontheweb modified the milestones: 1.5.21, 1.5.22 May 28, 2024
@Arkatufus
Copy link
Contributor Author

We just need to bump Reactive.Streams to 1.0.3 and we should be golden

@Aaronontheweb
Copy link
Member

Resolved via #7213

@Aaronontheweb Aaronontheweb mentioned this issue Jun 3, 2024
Open
@Arkatufus Arkatufus mentioned this issue Jun 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
akka-remote akka-streams
Projects
None yet
Milestone
1.5.22
Development

No branches or pull requests
2 participants
@Aaronontheweb @Arkatufus