Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-8292 on Akka.Streams and Akka.Remote #7191

Closed
3 tasks done
Arkatufus opened this issue May 21, 2024 · 5 comments
Closed
3 tasks done

CVE-2018-8292 on Akka.Streams and Akka.Remote #7191

Arkatufus opened this issue May 21, 2024 · 5 comments

Comments

@Arkatufus
Copy link
Contributor

Arkatufus commented May 21, 2024

CVE report: https://nvd.nist.gov/vuln/detail/cve-2018-8292

Currently, Akka.Streams and Akka.Remote are affected by this CVE due to transitive dependencies to System.Net.Http and Reactive.Streams. Note that anything that references .NET Standard 1.6 will be affected by this CVE.

Things that need to be done to correct this:

  • Fork the defunct Reactive.Streams repo into akkadotnet repo
  • Modernize the forked Reactive.Streams repo
  • Update Akka.Remote Dotnetty reference to 0.7.6
@Aaronontheweb
Copy link
Member

FWIW, this is a dumb CVE that doesn't even have any real exposure in Akka.NET - it all stems from calls in System.Net.Http, which we don't use anywhere in the framework.

@Aaronontheweb Aaronontheweb added this to the 1.5.21 milestone May 22, 2024
@Aaronontheweb
Copy link
Member

What blows my mind is that CodeQL hasn't even detected on this on any of the hundreds of PRs its scanned since this CVE was filed - guess it's because we're not adding it in a new PR?

@Arkatufus
Copy link
Contributor Author

Probably because CodeQL only scans the dependency graph 1 layer deep, it doesn't do a full dependency graph scan.

@Arkatufus
Copy link
Contributor Author

We just need to bump Reactive.Streams to 1.0.3 and we should be golden

@Aaronontheweb
Copy link
Member

Resolved via #7213

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants