It was discovered that when handling specifically crafted SSL packets, the SslHandler implementation in Netty entered an infinite loop. An unauthenticated remote attacker could use this flaw to trigger a denial of service by CPU exhaustion. Affects: 3.9.0, 3.9.1
Statement: Netty versions as shipped by Red Hat products are not affected by this flaw.
Here is the issue and the fix: https://github.com/netty/netty/issues/2562
Netty 3.9.2.Final was released with the fix included. See http://netty.io/news/2014/06/11/3.html
Acknowledgement: Red Hat would like to thank Laurentiu Luca for reporting this issue.