CVE-2023-31442
First published: Thu May 11 2023(Updated: )
In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service. This affects Akka 2.5.14 through 2.8.0, and Akka Discovery through 2.8.0.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Lightbend Akka Actor | >=2.5.14<2.8.1 | |
| Lightbend Akka Discovery | <2.8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2023-31442?
CVE-2023-31442 is a vulnerability in Lightbend Akka before 2.8.1 that allows an attacker to perform DNS poisoning due to predictable DNS transaction IDs.
What software is affected by CVE-2023-31442?
Lightbend Akka Actor versions between 2.5.14 and 2.8.1, and Lightbend Akka Discovery up to version 2.8.1 are affected by CVE-2023-31442.
How severe is CVE-2023-31442?
CVE-2023-31442 has a severity score of 7.5 (High).
How can I fix CVE-2023-31442?
To fix CVE-2023-31442, you should upgrade Lightbend Akka Actor and Lightbend Akka Discovery to version 2.8.1 or higher.
Where can I find more information about CVE-2023-31442?
You can find more information about CVE-2023-31442 on the official Akka website: https://akka.io/security/akka-async-dns-2023-31442.html
- collector/nvd-index
- vendor/lightbend
- canonical/lightbend akka actor
- version/lightbend akka actor/2.5.14
- canonical/lightbend akka discovery