Bug 2263139 (CVE-2024-1300)
| Summary: | CVE-2024-1300 io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, adupliak, aileenc, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, clement.escoffier, cmah, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, dsimansk, eaguilar, ebaron, ecerquei, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, hbraun, ibek, istudens, ivassile, iweiss, janstey, jkang, jkoops, jmartisk, jnethert, jolong, jpallich, jpoth, jrokos, jross, jscholz, kingland, kverlaen, lgao, lthon, manderse, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nipatil, nwallace, olubyans, pantinor, pcongius, pdelbell, pdrozd, peholase, pgallagh, pierdipi, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rjohnson, rkieley, rkubis, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, saroy, sausingh, sbiarozk, sdouglas, sfroberg, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2263142 | ||
|
Description
TEJ RATHI
2024-02-07 07:18:17 UTC
This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.11 Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662 This issue has been addressed in the following products: Migration Toolkit for Runtimes 1 on RHEL 8 Via RHSA-2024:1923 https://access.redhat.com/errata/RHSA-2024:1923 This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088 This issue has been addressed in the following products: RHINT Service Registry 2.5.11 GA Via RHSA-2024:2833 https://access.redhat.com/errata/RHSA-2024:2833 This issue has been addressed in the following products: Red Hat AMQ Streams 2.7.0 Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989 This issue has been addressed in the following products: Red Hat build of Apache Camel 4.4.1 for Spring Boot Via RHSA-2024:4884 https://access.redhat.com/errata/RHSA-2024:4884 This issue has been addressed in the following products: Red Hat AMQ Streams 2.5.2 Via RHSA-2024:6536 https://access.redhat.com/errata/RHSA-2024:6536 |