Bug 2263139 (CVE-2024-1300) - CVE-2024-1300 io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support
Summary: CVE-2024-1300 io.vertx:vertx-core: memory leak when a TCP server is configure...
Keywords:
Status: NEW
Alias: CVE-2024-1300
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2263142
TreeView+ depends on / blocked
 
Reported: 2024-02-07 07:18 UTC by TEJ RATHI
Modified: 2024-05-14 09:08 UTC (History)
92 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1662 0 None None None 2024-04-03 10:53:12 UTC
Red Hat Product Errata RHSA-2024:1923 0 None None None 2024-04-18 11:43:26 UTC
Red Hat Product Errata RHSA-2024:2088 0 None None None 2024-04-29 02:26:55 UTC
Red Hat Product Errata RHSA-2024:2833 0 None None None 2024-05-14 09:08:16 UTC

Description TEJ RATHI 2024-02-07 07:18:17 UTC
Since Vert.x 4.3.4 that leads to a memory leak when a TCP server is configured with TLS and SNI support: when such
server processes an unknown SNI server name, that is a server name that would be assigned the default certificate instead of a server name mapped certificate, the SSL context will be cached in the server name map. This map should only contain server names for which the configuration provides a valid certificate. As a consequence, this can be exploited by client sending TLS client hello message with the server name extension indicating spurious server names and eventually trigger a JVM out of memory error. 

This affects only TLS servers with SNI enabled
https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.

It affects the maven artifact io.vertx:vertx-core versions
4.3.4,4.3.5,4.3.6,4.3.7,4.3.8,4.4.0,4.4.1,4.4.2,4.4.3,4.4.4,4.4.5,4.4.6,4.4.7,4.5.0,4.5.1,4.5.2

https://github.com/eclipse-vertx/vert.x/pull/5101 [Master]
https://github.com/eclipse-vertx/vert.x/pull/5100 [4.x]
https://github.com/eclipse-vertx/vert.x/pull/5099 [4.3]

Comment 9 errata-xmlrpc 2024-04-03 10:53:09 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.11

Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662

Comment 11 errata-xmlrpc 2024-04-18 11:43:21 UTC
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2024:1923 https://access.redhat.com/errata/RHSA-2024:1923

Comment 12 errata-xmlrpc 2024-04-29 02:26:52 UTC
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088

Comment 15 errata-xmlrpc 2024-05-14 09:08:12 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.5.11 GA

Via RHSA-2024:2833 https://access.redhat.com/errata/RHSA-2024:2833


Note You need to log in before you can comment on or make changes to this bug.