Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final. https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845 https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
Created log4j tracking bugs for this issue: Affects: fedora-37 [bug 2216893]
This issue has been addressed in the following products: Red Hat AMQ Streams 2.5.0 Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165
This issue has been addressed in the following products: Red Hat Data Grid 8.4.4 Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396
This issue has been addressed in the following products: RHINT Camel-Springboot 4.0.0 Via RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441
This issue has been addressed in the following products: EAP 7.4.13 Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486
This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2023:5946 https://access.redhat.com/errata/RHSA-2023:5946
This issue has been addressed in the following products: RHINT Service Registry 2.5.4 GA Via RHSA-2023:7653 https://access.redhat.com/errata/RHSA-2023:7653
This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2023:7669 https://access.redhat.com/errata/RHSA-2023:7669
This issue has been addressed in the following products: AMQ Clients 3.y for RHEL 8 AMQ Clients 3.y for RHEL 9 Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697
This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9 Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705
This issue has been addressed in the following products: RHINT Camel-K 1.10.5 Via RHSA-2024:0148 https://access.redhat.com/errata/RHSA-2024:0148
Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version of netty.