Details
-
Fix
-
Status: Released (View Workflow)
-
Medium
-
Resolution: Fixed
-
2.5.0, 2.6.0
-
None
-
CVE-2023-33251
Description
Current Situation
- Current JS7 releases make use of akka.http version 10.2.10
- A vulnerability affects this version,
Impact
We rate the impact on our software as low as our implementation does not make use of akka.http for file upload as stated in the vulnerability report. In particular the fileUploadAll method is not used.
Workaround
- The workaround as stated with https://akka.io/security/akka-http-cve-2023-05-15.html applies: set the JAVA_OPTIONS environment variable to point to a private temporary directory like this:
- Agent
JAVA_OPTIONS="-Djava.io.tmpdir=/var/sos-berlin.com/js7/agent/work/tmp" - Controller
# consider to create the temporary directory as it is not available by default mkdir /var/sos-berlin.com/js7/controller/tmp JAVA_OPTIONS="-Djava.io.tmpdir=/var/sos-berlin.com/js7/controller/tmp"
- Agent
Desired Behavior
- akka.http version 10.5.2 is available which fixes the vulnerability. However, this release of Akka is not compatible to the GPLv3 open source license, see Business Source License 1.1
- Akka is replaced by Pekko that fixes the vulnerability, see
JS-2095
Attachments
Issue Links
- requires
-
JS-2095 Pekko replaces Akka
-
- Released
-