2260840 – (CVE-2024-1023) CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx

Bug 2260840 (CVE-2024-1023) - CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx

Summary: CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastTh...

Keywords:
Status:	NEW
Alias:	CVE-2024-1023
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2260857
TreeView+	depends on / blocked

Reported:	2024-01-29 11:01 UTC by TEJ RATHI
Modified:	2024-04-30 23:00 UTC (History)
CC List:	91 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1662	0	None	None	None	2024-04-03 10:53:13 UTC
Red Hat Product Errata	RHSA-2024:2088	0	None	None	None	2024-04-29 02:26:54 UTC

Description TEJ RATHI 2024-01-29 11:01:27 UTC

There is a regression in Vert.x 4.4 branch that leads to a memory leak due to the use of Netty FastThreadLocal data structures.

As a consequence, when the Vert.x HTTP client connects to a different host, it does make the leak progress furthermore, there might be other cases leading to the same effect but exhibiting one seems enough to demonstrate the feasability.

Thus, this can be exploited with intimate knowledge of the runtime to accelerate the memory leak, e.g. a server accepting arbitrary internet addresses for which it will connect to could be fed with addresses as an attack vector.

This affects the maven artifact io.vertx:vertx-core versions 4.4.5, 4.4.6, 4.5.0, 4.5.1

https://github.com/eclipse-vertx/vert.x/issues/5078
https://github.com/eclipse-vertx/vert.x/pull/5082
https://github.com/eclipse-vertx/vert.x/pull/5080

Comment 7 errata-xmlrpc 2024-04-03 10:53:09 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.11

Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662

Comment 8 errata-xmlrpc 2024-04-29 02:26:50 UTC

This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088

Note You need to log in before you can comment on or make changes to this bug.

aazores
adupliak
aileenc
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
chfoley
clement.escoffier
cmiranda
dandread
darran.lofthouse
dhanak
dkreling
dosoudil
dpalmer
drichtar
dsimansk
eaguilar
ebaron
eric.wittmann
fjuma
fmariani
fmongiar
gmalinko
gsmet
hamadhan
ibek
ivassile
iweiss
janstey
jkang
jmartisk
jnethert
jpallich
jpoth
jrokos
jross
jscholz
kingland
kverlaen
lgao
lthon
matzew
max.andersen
mnovotny
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
olubyans
pantinor
pcongius
pdelbell
pdrozd
peholase
pgallagh
pierdipi
pjindal
pmackay
probinso
pskopek
rguimara
rhuss
rjohnson
rkieley
rowaters
rruss
rstancel
rsvoboda
saroy
sbiarozk
sdouglas
sfroberg
skontopo
smaestri
sthorger
swoodman
tcunning
tom.jenkinson
tqvarnst
yfang