Uploaded image for project: 'JS - JobScheduler'
  1. JS - JobScheduler
  2. JS-2090

Replace akka.http 10.2.10 by Pekko 1.0 due to 3rd-party vulnerability issue CVE-2023-33251

    XMLWordPrintable

Details

    • CVE-2023-33251

    Description

      Current Situation

      Impact
      We rate the impact on our software as low as our implementation does not make use of akka.http for file upload as stated in the vulnerability report. In particular the fileUploadAll method is not used.

      Workaround

      • The workaround as stated with https://akka.io/security/akka-http-cve-2023-05-15.html applies: set the JAVA_OPTIONS environment variable to point to a private temporary directory like this:
        • Agent
          JAVA_OPTIONS="-Djava.io.tmpdir=/var/sos-berlin.com/js7/agent/work/tmp"
          
        • Controller
          # consider to create the temporary directory as it is not available by default
          mkdir /var/sos-berlin.com/js7/controller/tmp
          JAVA_OPTIONS="-Djava.io.tmpdir=/var/sos-berlin.com/js7/controller/tmp" 
          

      Desired Behavior

      • akka.http version 10.5.2 is available which fixes the vulnerability. However, this release of Akka is not compatible to the GPLv3 open source license, see Business Source License 1.1
      • Akka is replaced by Pekko that fixes the vulnerability, see JS-2095

      Attachments

        Issue Links

          Activity

            People

              jz Joacim Zschimmer
              ap Andreas PĆ¼schel
              Kanika Agrawal Kanika Agrawal
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: