Lucene search

GitHub Advisory DatabaseGHSA-9PH3-V2VH-3QX7

HistoryApr 02, 2024 - 9:30 a.m.

Eclipse Vert.x vulnerable to a memory leak in TCP servers

2024-04-0209:30:42

CWE-400

GitHub Advisory Database

github.com

eclipse vert.x

memory leak

tcp servers

tls

sni

vulnerability

jvm out-of-memory

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Affected configurations

Vulners

Node

io.vertx\vertxMatchcore

CPENameOperatorVersion
io.vertx:vertx-corelt4.5.3
io.vertx:vertx-corelt4.4.8

CPE	Name	Operator	Version
	io.vertx:vertx-core	lt	4.5.3
	io.vertx:vertx-core	lt	4.4.8

References

access.redhat.com/errata/RHSA-2024:1662

access.redhat.com/errata/RHSA-2024:1706

access.redhat.com/errata/RHSA-2024:1923

access.redhat.com/errata/RHSA-2024:2088

access.redhat.com/errata/RHSA-2024:2833

access.redhat.com/errata/RHSA-2024:3527

access.redhat.com/errata/RHSA-2024:3989

access.redhat.com/security/cve/CVE-2024-1300

bugzilla.redhat.com/show_bug.cgi?id=2263139

github.com/advisories/GHSA-9ph3-v2vh-3qx7

github.com/eclipse-vertx/vert.x/commit/3d9235cadf44df39a70dc75bddfe0b8fcbd6a683

github.com/eclipse-vertx/vert.x/commit/7ad34ea9d78f85e26b231ee3ec8d492d10046479

github.com/eclipse-vertx/vert.x/pull/5099

github.com/eclipse-vertx/vert.x/pull/5100

github.com/eclipse-vertx/vert.x/pull/5101

nvd.nist.gov/vuln/detail/CVE-2024-1300

vertx.io/docs/vertx-core/java/#_server_name_indication_sni.

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

Related for GHSA-9PH3-V2VH-3QX7