As an outcome Snowplows recent penetration test, a CVE was identified in a popular Scala library (akka-http).
CVE-2021-42697: Stack overflow while parsing User-Agent header with deeply nested comments is a potential Denial of Service attack vector for collectors.
It is recommended all deployments upgrade to at least v2.4.3 of the Snowplow Collector.
We have upgraded akka-http to a fixed version (
10.2.7) to resolve this CVE.
2.4.3 images can be pulled from Docker Hub.
For the full list of changes and
jar files, see the release notes on Github.