Lucene search
HistoryApr 02, 2024 - 8:15 a.m.
CVE-2024-1300
eclipse vert.x
memory leak
tcp servers
tls
sni
vulnerability
memory exhaustion
attackers
jvm
out-of-memory error
nvd
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
6.1 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
12.8%
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
CNA Affected
[
{
"vendor": "Red Hat",
"product": "CEQ 3.2",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"cpes": [
"cpe:/a:redhat:camel_quarkus:3"
]
},
{
"vendor": "Red Hat",
"product": "Cryostat 2 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "2.4.0-7",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
]
},
{
"vendor": "Red Hat",
"product": "Cryostat 2 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "cryostat-tech-preview/cryostat-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "2.4.0-4",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
]
},
{
"vendor": "Red Hat",
"product": "Cryostat 2 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "cryostat-tech-preview/cryostat-reports-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "2.4.0-4",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
]
},
{
"vendor": "Red Hat",
"product": "Cryostat 2 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "cryostat-tech-preview/cryostat-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "2.4.0-4",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
]
},
{
"vendor": "Red Hat",
"product": "Cryostat 2 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "cryostat-tech-preview/cryostat-rhel8-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "2.4.0-9",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
]
},
{
"vendor": "Red Hat",
"product": "Cryostat 2 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "cryostat-tech-preview/jfr-datasource-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "2.4.0-4",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mtr/mtr-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "1.2-18",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mtr/mtr-rhel8-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "1.2-11",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mtr/mtr-web-container-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.2-12",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "mtr/mtr-web-executor-container-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.2-10",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat AMQ Streams 2.7.0",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"cpes": [
"cpe:/a:redhat:amq_streams:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus 3.2.11.Final",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.vertx/vertx-core",
"defaultStatus": "affected",
"versions": [
{
"version": "4.4.8.redhat-00001",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:quarkus:3.2::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHINT Service Registry 2.5.11 GA",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"cpes": [
"cpe:/a:redhat:service_registry:2.5"
]
},
{
"vendor": "Red Hat",
"product": "A-MQ Clients 2",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:a_mq_clients:2"
]
},
{
"vendor": "Red Hat",
"product": "Migration Toolkit for Applications 6",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:6"
]
},
{
"vendor": "Red Hat",
"product": "OpenShift Serverless",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:serverless:1"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Apache Camel 4.0 for Spring Boot",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:camel_spring_boot:4"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Apache Camel for Spring Boot",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:camel_spring_boot:3"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Build of Keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:build_keycloak:22"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of OptaPlanner 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:optaplanner:::el6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.vertx/vertx-core",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:quarkus:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Data Grid 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Integration Camel K",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:integration:1"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Integration Camel Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:camel_quarkus:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss A-MQ 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:amq_broker:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Data Grid 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "vertx-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "vertx-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "vertx-core",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Process Automation 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "vertx-core",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
]
}
]References
access.redhat.com/errata/RHSA-2024:1662
access.redhat.com/errata/RHSA-2024:1706
access.redhat.com/errata/RHSA-2024:1923
access.redhat.com/errata/RHSA-2024:2088
access.redhat.com/errata/RHSA-2024:2833
access.redhat.com/errata/RHSA-2024:3527
access.redhat.com/security/cve/CVE-2024-1300
bugzilla.redhat.com/show_bug.cgi?id=2263139
vertx.io/docs/vertx-core/java/#_server_name_indication_sni.
Related
redhatcve
redhatcve
CVE-2024-1300
2024-02-07 07:29:55
veracode
veracode
Memory Leak
2024-04-03 05:50:04
github
github
Eclipse Vert.x vulnerable to a memory leak in TCP servers
2024-04-02 09:30:42
osv
osv
Eclipse Vert.x vulnerable to a memory leak in TCP servers
2024-04-02 09:30:42
nvd
nvd
CVE-2024-1300
2024-04-02 08:15:53
cvelist
cvelist
ibm
ibm
Security Bulletin:IBM Asset Data Dictionary Component uses vertx-core-4.5.0.jar which is vulnerable to CVE-2024-1023 and CVE-2024-1300.
2024-05-02 11:00:04
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
6.1 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
12.8%
Related for CVE-2024-1300