Bug 2260840 (CVE-2024-1023)

Summary: CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, adupliak, aileenc, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, clement.escoffier, cmah, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, dsimansk, eaguilar, ebaron, ecerquei, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jkang, jkoops, jmartisk, jnethert, jolong, jpallich, jpoth, jrokos, jross, jscholz, kingland, kverlaen, lgao, lthon, manderse, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nipatil, nwallace, olubyans, pantinor, pcongius, pdelbell, pdrozd, peholase, pgallagh, pierdipi, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rjohnson, rkieley, rkubis, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, saroy, sausingh, sbiarozk, sdouglas, sfroberg, skontopo, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2260857    

Description TEJ RATHI 2024-01-29 11:01:27 UTC 
There is a regression in Vert.x 4.4 branch that leads to a memory leak due to the use of Netty FastThreadLocal data structures.

As a consequence, when the Vert.x HTTP client connects to a different host, it does make the leak progress furthermore, there might be other cases leading to the same effect but exhibiting one seems enough to demonstrate the feasability.

Thus, this can be exploited with intimate knowledge of the runtime to accelerate the memory leak, e.g. a server accepting arbitrary internet addresses for which it will connect to could be fed with addresses as an attack vector.

This affects the maven artifact io.vertx:vertx-core versions 4.4.5, 4.4.6, 4.5.0, 4.5.1

https://github.com/eclipse-vertx/vert.x/issues/5078
https://github.com/eclipse-vertx/vert.x/pull/5082
https://github.com/eclipse-vertx/vert.x/pull/5080
Comment 7 errata-xmlrpc 2024-04-03 10:53:09 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.11

Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662
Comment 8 errata-xmlrpc 2024-04-29 02:26:50 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088
Comment 11 errata-xmlrpc 2024-05-14 09:08:13 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.5.11 GA

Via RHSA-2024:2833 https://access.redhat.com/errata/RHSA-2024:2833
Comment 13 errata-xmlrpc 2024-05-30 20:25:34 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.7.0

Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527
Comment 14 errata-xmlrpc 2024-06-20 00:35:54 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989
Comment 16 errata-xmlrpc 2024-07-25 19:26:09 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.1 for Spring Boot

Via RHSA-2024:4884 https://access.redhat.com/errata/RHSA-2024:4884