#VU103643 Reliance on Reverse DNS Resolution for a Security-Critical Action in Lightbend - CVE-2023-31442

Cybersecurity Help s.r.o.

Published: 2025-02-05

Vulnerability identifier: #VU103643

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-31442

CWE-ID: CWE-350

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Lightbend
Other software / Other software solutions

Vendor: Akka Project

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records. A remote attacker can exploit the vulnerability to perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Lightbend: before 2.8.1

External links
https://akka.io/security/akka-async-dns-2023-31442.html
https://akka.io/security/akka-async-dns-2023-31442.html
https://lightbend.com
https://lightbend.com

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell Data Protection Central update for third-party component

Multiple vulnerabilities in IBM Cloud Application Performance Management (APM)

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Reliance on Reverse DNS Resolution for a Security-Critical Action in Akka Lightbend