Bug 2309758 (CVE-2024-8391)

Summary: CVE-2024-8391 io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, caswilli, cdewolf, chazlett, clement.escoffier, cmah, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dsimansk, fjuma, fmongiar, gsmet, istudens, ivassile, iweiss, janstey, jmartisk, jnethert, kaycoth, kingland, kverlaen, lgao, lthon, manderse, matzew, mnovotny, mosmerov, msochure, msvehla, nwallace, olubyans, pesilva, pgallagh, pierdipi, pjindal, pmackay, probinso, rguimara, rhuss, rruss, rstancel, rsvoboda, sausingh, sbiarozk, sdouglas, smaestri, tom.jenkinson, tqvarnst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-09-04 16:21:09 UTC 
In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). 




This is fixed in the 4.5.10 version. 




Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)
Comment 1 errata-xmlrpc 2024-09-24 12:53:03 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel for Quarkus 2.13

Via RHSA-2024:7052 https://access.redhat.com/errata/RHSA-2024:7052
Comment 2 errata-xmlrpc 2024-10-14 01:00:21 UTC 
This issue has been addressed in the following products:

  RHOSS-1.34-RHEL-8

Via RHSA-2024:8023 https://access.redhat.com/errata/RHSA-2024:8023
Comment 3 errata-xmlrpc 2025-01-21 17:55:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss EAP XP 5.0 Update 1.0

Via RHSA-2025:0542 https://access.redhat.com/errata/RHSA-2025:0542