Adjust the score for the serialization vulnerability

* and some additional clarifications * and some cleanup of wrong rst format (cherry picked from commit a79bfbf941e5129fcf21d8a9e29d1ae1c55e39a0)
2017-02-15 08:51:36 +01:00 · 2017-02-15 08:51:36 +01:00 · adae12ff95
commit adae12ff95
parent a7dfaf00a4
9 changed files with 24 additions and 9 deletions
--- a/akka-docs/rst/scala/remoting-artery.rst
+++ b/akka-docs/rst/scala/remoting-artery.rst
@ -264,7 +264,9 @@ It should be protected by network security, such as a firewall. There is current
 so if network security is not considered as enough protection the classic remoting with
 :ref:`TLS and mutual authentication <remote-tls-scala>`  should be used.

-It is also security best-practice to :ref:`disable the Java serializer <disable-java-serializer-java-artery>` because of 
+Best practice is that Akka remoting nodes should only be accessible from the adjacent network.
+
+It is also security best practice to :ref:`disable the Java serializer <disable-java-serializer-java-artery>` because of 
 its multiple `known attack surfaces <https://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995>`_.

 Untrusted Mode
--- a/akka-docs/rst/scala/remoting.rst
+++ b/akka-docs/rst/scala/remoting.rst
@ -519,6 +519,9 @@ a certificate from the connecting peer. Without this mode only the client side i
 While Akka is a peer-to-peer technology, each connection between nodes starts out from one side (the "client") towards 
 the other (the "server").

+Note that if TLS is enabled with mutual authentication there is still a risk that an attacker can gain access to a valid certificate
+by compromising any node with certificates issued by the same internal PKI tree.
+
 See also a description of the settings in the :ref:`remote-configuration-scala` section.

 .. note::
--- a/akka-docs/rst/scala/stream/stages-overview.rst
+++ b/akka-docs/rst/scala/stream/stages-overview.rst
@ -883,7 +883,7 @@ Similar to ``Flow.fromSinkAndSource`` however couples the termination of these t
 E.g. if the emitted ``Flow`` gets a cancellation, the ``Source`` of course is cancelled,
 however the Sink will also be completed. The table below illustrates the effects in detail:

-+-------------------------------------------------+-----------------------------+---------------------------------+
+=================================================+=============================+=================================+
 | Returned Flow                                   | Sink (in)                   | Source (out)                    |
 +=================================================+=============================+=================================+
 | cause: upstream (sink-side) receives completion | effect: receives completion | effect: receives cancel         |