CVE-2021-42697 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2021-42697?

CVE-2021-42697 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to cause a Denial of Service (DoS) in Akka HTTP servers by sending HTTP requests with specially crafted User-Agent headers containing deeply nested comments. The stack exhaustion during header parsing crashes the server process. Affected systems are those running vulnerable versions of Akka HTTP 10.1.x before 10.1.15 or 10.2.x before 10.2.7.

📋 TL;DR

This vulnerability allows remote attackers to cause a Denial of Service (DoS) in Akka HTTP servers by sending HTTP requests with specially crafted User-Agent headers containing deeply nested comments. The stack exhaustion during header parsing crashes the server process. Affected systems are those running vulnerable versions of Akka HTTP 10.1.x before 10.1.15 or 10.2.x before 10.2.7.

💻 Affected Systems

Products:

Akka HTTP

Versions: 10.1.x before 10.1.15, 10.2.x before 10.2.7

Operating Systems: All platforms running Akka HTTP

Default Config Vulnerable: ⚠️ Yes

Notes: All Akka HTTP servers using vulnerable versions are affected regardless of configuration, as the vulnerability exists in the HTTP header parsing component.

📦 What is this software?

Http Server by Akka

View all CVEs affecting Http Server →

Http Server by Akka

View all CVEs affecting Http Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability requiring manual restart of affected Akka HTTP servers, potentially disrupting dependent applications and services.

🟠

Likely Case

Service disruption affecting availability of web services hosted on vulnerable Akka HTTP instances, with automatic or manual restart required to restore functionality.

🟢

If Mitigated

Minimal impact with proper monitoring and automated restart mechanisms in place, though service interruptions may still occur during attack periods.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only sending a single HTTP request with a malicious User-Agent header, making this trivial to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.15 or 10.2.7

Vendor Advisory: https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.html

Restart Required: Yes

Instructions:

1. Update Akka HTTP dependency to version 10.1.15 or 10.2.7 in your build configuration. 2. Rebuild and redeploy your application. 3. Restart all affected services.

🔧 Temporary Workarounds

WAF/Proxy Filtering

all

Configure web application firewalls or reverse proxies to filter or block HTTP requests with suspicious User-Agent headers containing excessive nested comments.

Rate Limiting

all

Implement rate limiting on HTTP endpoints to restrict the number of requests from single sources, reducing DoS impact.

🧯 If You Can't Patch

Implement network-level filtering to block requests with suspicious User-Agent patterns at load balancers or firewalls.
Deploy monitoring and automated restart mechanisms to detect and recover from service crashes quickly.

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency configuration (build.sbt, pom.xml, etc.) for Akka HTTP version. If version is 10.1.0-10.1.14 or 10.2.0-10.2.6, you are vulnerable.

Check Version:

Check build configuration files or run: sbt 'show akka-http-version' (for Scala) or check Maven/Gradle dependencies.

Verify Fix Applied:

After updating, verify the Akka HTTP version in your deployed application matches 10.1.15 or 10.2.7, and test that services remain responsive under normal load.

📡 Detection & Monitoring

Log Indicators:

Stack overflow exceptions in application logs
Sudden process termination of Akka HTTP services
Error messages related to HTTP header parsing

Network Indicators:

HTTP requests with unusually long User-Agent headers containing nested comment syntax
Multiple connection attempts followed by service unavailability

SIEM Query:

source="akka-http-logs" AND ("stack overflow" OR "StackOverflowError" OR "header parsing error")

📊 Metadata

CVE ID: CVE-2021-42697

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

Published: November 2, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.html Exploit,Third Party Advisory,VDB Entry
https://akka.io/blog/ Vendor Advisory
https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-released Release Notes,Vendor Advisory
https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-released Release Notes,Vendor Advisory
https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.html Vendor Advisory
http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.html Exploit,Third Party Advisory,VDB Entry
https://akka.io/blog/ Vendor Advisory
https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-released Release Notes,Vendor Advisory
https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-released Release Notes,Vendor Advisory
https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42697, you might also want to check these: