As an outcome Snowplows recent penetration test, a CVE was identified in a popular Scala library (akka-http).
CVE-2021-42697: Stack overflow while parsing User-Agent header with deeply nested comments is a potential Denial of Service attack vector for collectors.
It is recommended all deployments upgrade to at least v2.4.3 of the Snowplow Collector.
We have upgraded akka-http to a fixed version (10.2.7) to resolve this CVE.
Upgrading
2.4.3 images can be pulled from Docker Hub.
For the full list of changes and jar files, see the release notes on Github.