Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the Eclipse Vert.x component (CVE-2024-1023,CVE-2024-1300).

Summary

IBM Event Streams is vulnerable to a denial of service attack due to the Vert.x component.It is a toolkit for writing reactive, non-blocking, asynchronous applications that run on the JVM (Java Virtual Machine) and it provides a non-prescriptive and flexible way to write efficient, multi-language (polyglot) applications.

Vulnerability Details

CVEID:CVE-2024-1023
**DESCRIPTION:**Eclipse Vert.x is vulnerable to a denial of service, caused by a memory leak due to the use of Netty FastThreadLocal data structures. By persuading to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282748 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-1300
**DESCRIPTION:**Eclipse Vert.x is vulnerable to a denial of service, caused by a memory leak when a TCP server is configured with TLS and SNI support. By sending a specially crafted TLS client hello message, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282749 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading

Upgrade to IBM Event Streams 11.4.0 by following the upgrading and migrating documentation.

Workarounds and Mitigations

None