Akka CVE-2023-33251

Ashley_Taylor · October 24, 2023, 1:35pm

Hi,

A recent security check has flagged akka-http/10.2.7 with the following CVE

Any updates on when a new version will be released ?

Also i would like to suppress the headers that presents the akka version to the browser. I can see the topic here Disable akka-http version being returned, however i cant see away through IaC to add this. I am reluctant to do anything manually as autoscaling/rebuilding will just remove the change. Can someone point me in the right direction ?

FYI we are running in AWS self hosted using the Terraform modules provided by Snowplow.

stanch · October 24, 2023, 1:49pm

Hi @Ashley_Taylor,

We are not using FileUploadDirectives in the Collector, so I believe we are not impacted by this vulnerability.

As a side note, we are working on a new version of the Collector that does not use Akka HTTP — stay tuned for a release in the next weeks

Ashley_Taylor · October 24, 2023, 3:14pm

Cheers @stanch thats good to know.

Any ideas on how to suppress the version header without manually changing it ?

Topic		Replies	Views
IMPORTANT NOTICE: Upgrade collectors to fix CVE-2021-42697 in akka-http Security advisories	1	1229	December 16, 2021
Disable akka-http version being returned Collectors	3	1192	December 10, 2020
Akka licensing and fees	6	1249	September 14, 2022
Collector 3.0.0 New releases	0	515	January 8, 2024
Akka License Change Announcements	1	1580	September 14, 2022

Akka CVE-2023-33251

Related topics