Bug 2216888 (CVE-2023-34462)
Summary: | CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aazores, adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dffrench, dhanak, dkreling, dosoudil, drichtar, eaguilar, ebaron, emingora, eric.wittmann, fjansen, fjuma, fmongiar, gjospin, gmalinko, gsmet, gzaronik, ibek, ikanello, ivassile, iweiss, janstey, jcantril, jkang, jmartisk, jnethert, jpallich, jpechane, jpoth, jrokos, jross, jscholz, kaycoth, kverlaen, lbacciot, lgao, lthon, max.andersen, michal.skrivanek, mizdebsk, mnovotny, mosmerov, mperina, msochure, mstefank, msvehla, ngough, nwallace, pantinor, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rgodfrey, rguimara, rjohnson, rkieley, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, sfroberg, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | netty 4.1.94.Final | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2216893, 2216897, 2216898, 2216899 | ||
Bug Blocks: | 2216889 |
Description
TEJ RATHI
2023-06-23 04:18:02 UTC
Created log4j tracking bugs for this issue: Affects: fedora-37 [bug 2216893] This issue has been addressed in the following products: Red Hat AMQ Streams 2.5.0 Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165 This issue has been addressed in the following products: Red Hat Data Grid 8.4.4 Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396 This issue has been addressed in the following products: RHINT Camel-Springboot 4.0.0 Via RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441 This issue has been addressed in the following products: EAP 7.4.13 Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486 This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2023:5946 https://access.redhat.com/errata/RHSA-2023:5946 This issue has been addressed in the following products: RHINT Service Registry 2.5.4 GA Via RHSA-2023:7653 https://access.redhat.com/errata/RHSA-2023:7653 This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2023:7669 https://access.redhat.com/errata/RHSA-2023:7669 This issue has been addressed in the following products: AMQ Clients 3.y for RHEL 8 AMQ Clients 3.y for RHEL 9 Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697 This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9 Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705 This issue has been addressed in the following products: RHINT Camel-K 1.10.5 Via RHSA-2024:0148 https://access.redhat.com/errata/RHSA-2024:0148 Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version of netty. |