Bug 2216888 (CVE-2023-34462)

Summary: CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dffrench, dhanak, dkreling, dosoudil, drichtar, eaguilar, ebaron, emingora, eric.wittmann, fjansen, fjuma, fmongiar, gjospin, gmalinko, gsmet, gzaronik, hamadhan, hbraun, ibek, ikanello, ivassile, iweiss, janstey, jcantril, jkang, jmartisk, jnethert, jpallich, jpechane, jpoth, jrokos, jross, jscholz, kaycoth, kverlaen, lbacciot, lgao, lthon, max.andersen, michal.skrivanek, mizdebsk, mnovotny, mosmerov, mperina, msochure, mstefank, msvehla, ngough, nwallace, pantinor, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rgodfrey, rguimara, rjohnson, rkieley, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, sbonazzo, sdouglas, sfroberg, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: netty 4.1.94.Final Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2216893, 2216897, 2216898, 2216899    
Bug Blocks: 2216889    

Description TEJ RATHI 2023-06-23 04:18:02 UTC 
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
Comment 1 TEJ RATHI 2023-06-23 04:46:17 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-37 [bug 2216893]