Since Vert.x 4.3.4 that leads to a memory leak when a TCP server is configured with TLS and SNI support: when such server processes an unknown SNI server name, that is a server name that would be assigned the default certificate instead of a server name mapped certificate, the SSL context will be cached in the server name map. This map should only contain server names for which the configuration provides a valid certificate. As a consequence, this can be exploited by client sending TLS client hello message with the server name extension indicating spurious server names and eventually trigger a JVM out of memory error. This affects only TLS servers with SNI enabled https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni. It affects the maven artifact io.vertx:vertx-core versions 4.3.4,4.3.5,4.3.6,4.3.7,4.3.8,4.4.0,4.4.1,4.4.2,4.4.3,4.4.4,4.4.5,4.4.6,4.4.7,4.5.0,4.5.1,4.5.2 https://github.com/eclipse-vertx/vert.x/pull/5101 [Master] https://github.com/eclipse-vertx/vert.x/pull/5100 [4.x] https://github.com/eclipse-vertx/vert.x/pull/5099 [4.3]
This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.11 Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662
This issue has been addressed in the following products: Migration Toolkit for Runtimes 1 on RHEL 8 Via RHSA-2024:1923 https://access.redhat.com/errata/RHSA-2024:1923
This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088