Bug 2216888 (CVE-2023-34462)

Summary:	CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
Product:	[Other] Security Response	Reporter:	TEJ RATHI <trathi>
Component:	vulnerability	Assignee:	Nobody <nobody>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	aazores, adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dffrench, dhanak, dkreling, dosoudil, drichtar, eaguilar, ebaron, emingora, eric.wittmann, fjansen, fjuma, fmongiar, gjospin, gmalinko, gsmet, gzaronik, ibek, ikanello, ivassile, iweiss, janstey, jcantril, jkang, jmartisk, jnethert, jpallich, jpechane, jpoth, jrokos, jross, jscholz, kaycoth, kverlaen, lbacciot, lgao, lthon, max.andersen, michal.skrivanek, mizdebsk, mnovotny, mosmerov, mperina, msochure, mstefank, msvehla, ngough, nwallace, pantinor, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rgodfrey, rguimara, rjohnson, rkieley, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, sdouglas, sfroberg, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	netty 4.1.94.Final	Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2216893, 2216897, 2216898, 2216899
Bug Blocks:	2216889

Description TEJ RATHI 2023-06-23 04:18:02 UTC

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32

Comment 1 TEJ RATHI 2023-06-23 04:46:17 UTC

Created log4j tracking bugs for this issue:

Affects: fedora-37 [bug 2216893]

Comment 14 errata-xmlrpc 2023-09-14 09:51:48 UTC

This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.0

Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165

Comment 16 errata-xmlrpc 2023-09-28 11:55:39 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.4

Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396

Comment 17 errata-xmlrpc 2023-10-04 11:59:28 UTC

This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.0

Via RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441

Comment 18 errata-xmlrpc 2023-10-05 20:18:33 UTC

This issue has been addressed in the following products:

  EAP 7.4.13

Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488

Comment 19 errata-xmlrpc 2023-10-05 20:21:42 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484

Comment 20 errata-xmlrpc 2023-10-05 20:22:15 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485

Comment 21 errata-xmlrpc 2023-10-05 20:23:28 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486

Comment 22 errata-xmlrpc 2023-10-19 19:09:30 UTC

This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2023:5946 https://access.redhat.com/errata/RHSA-2023:5946

Comment 23 errata-xmlrpc 2023-12-05 14:36:40 UTC

This issue has been addressed in the following products:

  RHINT Service Registry 2.5.4 GA

Via RHSA-2023:7653 https://access.redhat.com/errata/RHSA-2023:7653

Comment 24 errata-xmlrpc 2023-12-06 22:07:27 UTC

This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:7669 https://access.redhat.com/errata/RHSA-2023:7669

Comment 25 errata-xmlrpc 2023-12-07 13:42:13 UTC

This issue has been addressed in the following products:

  AMQ Clients 3.y for RHEL 8
  AMQ Clients 3.y for RHEL 9

Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697

Comment 26 errata-xmlrpc 2023-12-07 14:26:43 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700

Comment 27 errata-xmlrpc 2023-12-07 15:32:49 UTC

This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705

Comment 28 errata-xmlrpc 2024-01-10 13:30:27 UTC

This issue has been addressed in the following products:

  RHINT Camel-K 1.10.5

Via RHSA-2024:0148 https://access.redhat.com/errata/RHSA-2024:0148

Comment 31 Paramvir jindal 2024-03-28 03:49:26 UTC

Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version of netty.