2216888 – (CVE-2023-34462) CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM

Bug 2216888 (CVE-2023-34462) - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM

Summary: CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM

Keywords:
Status:	NEW
Alias:	CVE-2023-34462
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2216893 2216897 2216898 2216899
Blocks:	2216889
TreeView+	depends on / blocked

Reported:	2023-06-23 04:18 UTC by TEJ RATHI
Modified:	2023-07-21 22:26 UTC (History)
CC List:	99 users (show)
Fixed In Version:	netty 4.1.94.Final
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-06-23 04:18:02 UTC

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32

Comment 1 TEJ RATHI 2023-06-23 04:46:17 UTC

Created log4j tracking bugs for this issue:

Affects: fedora-37 [bug 2216893]

Note You need to log in before you can comment on or make changes to this bug.

aazores
adupliak
aileenc
alampare
alazarot
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
clement.escoffier
cmoulliard
dandread
darran.lofthouse
dffrench
dhanak
dkreling
dosoudil
drichtar
eaguilar
ebaron
emingora
eric.wittmann
fjansen
fjuma
fmongiar
gjospin
gmalinko
gsmet
gzaronik
hamadhan
hbraun
ibek
ikanello
ivassile
iweiss
janstey
jcantril
jkang
jmartisk
jnethert
jpallich
jpechane
jpoth
jrokos
jross
jscholz
kaycoth
kverlaen
lbacciot
lgao
lthon
max.andersen
michal.skrivanek
mizdebsk
mnovotny
mosmerov
mperina
msochure
mstefank
msvehla
ngough
nwallace
pantinor
pdelbell
pdrozd
peholase
periklis
pgallagh
pjindal
pmackay
probinso
pskopek
rgodfrey
rguimara
rjohnson
rkieley
rowaters
rruss
rstancel
rsvoboda
saroy
sbiarozk
sbonazzo
sdouglas
sfroberg
smaestri
sthorger
swoodman
tcunning
tom.jenkinson
tqvarnst
yfang