CVE-2023-31442

Name of the Vulnerable Software and Affected Versions Lightbend Akka versions 2.5.14 through 2.8.0 Akka Discovery versions 2.5.14 through 2.8.0

Description The async-dns resolver in Lightbend Akka uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate the authenticity of the discovered service, this may result in exfiltration of application data. For example, persistence events may be published to an unintended Kafka broker. If such validation is performed, then the poisoning constitutes a denial of access to the intended service.

Recommendations For versions 2.5.14 through 2.8.0, update to version 2.8.1 or later to resolve the issue. As a temporary workaround, consider validating the authenticity of discovered services via TLS to minimize the risk of exploitation. Restrict access to sensitive data and services to prevent potential exfiltration in case of DNS poisoning.