It was discovered that when handling specifically crafted SSL packets, the SslHandler implementation in Netty entered an infinite loop. An unauthenticated remote attacker could use this flaw to trigger a denial of service by CPU exhaustion.
Affects: 3.9.0, 3.9.1
Netty versions as shipped by Red Hat products are not affected by this flaw.
Here is the issue and the fix:
Netty 3.9.2.Final was released with the fix included.
Red Hat would like to thank Laurentiu Luca for reporting this issue.