Akka Async DNS resolver has insufficient entropy to protect against DNS poisoning
Description of Vulnerability
Akka’s async-dns
resolver (used by Akka Discovery in DNS mode and transitively by Akka Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning.
Impact
If the application performing discovery does not validate (e.g. via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g. persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service.
Resolution
The means of generating DNS transaction IDs was improved to increase effective entropy and validation of DNS responses was hardened.
Affected versions
-
akka-actor
from 2.5.14 through 2.8.0 (inclusive: all versions before 2.8.1 which includeasync-dns
) -
akka-discovery
through 2.8.0 (all versions before 2.8.1)