← voltar
CVE-2024-1300

Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support

CVSS 5.4 MEDIUMEPSS 1.1%CWE-772
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Produtos afetados
io.vertx:vertx-coreRed Hat · A-MQ Clients 2Red Hat · CEQ 3.2Red Hat · Cryostat 2 on RHEL 8Red Hat · Migration Toolkit for Runtimes 1 on RHEL 8Red Hat · MTA-6.2-RHEL-9Red Hat · OpenShift ServerlessRed Hat · Red Hat AMQ Broker 7Red Hat · Red Hat AMQ Streams 2.7.0Red Hat · Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2Red Hat · Red Hat build of Apache Camel for Spring Boot 3Red Hat · Red Hat Build of KeycloakRed Hat · Red Hat build of OptaPlanner 8Red Hat · Red Hat build of QuarkusRed Hat · Red Hat build of Quarkus 3.2.11.FinalRed Hat · Red Hat Data Grid 8Red Hat · Red Hat Fuse 7Red Hat · Red Hat Integration Camel K 1Red Hat · Red Hat Integration Camel Quarkus 2Red Hat · Red Hat JBoss Data Grid 7Red Hat · Red Hat JBoss Enterprise Application Platform 7Red Hat · Red Hat JBoss Enterprise Application Platform 8Red Hat · Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat · Red Hat Process Automation 7Red Hat · RHINT Service Registry 2.5.11 GA

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://access.redhat.com/errata/RHSA-2024:1662https://access.redhat.com/errata/RHSA-2024:1706https://access.redhat.com/errata/RHSA-2024:1923https://access.redhat.com/errata/RHSA-2024:2088https://access.redhat.com/errata/RHSA-2024:2833https://access.redhat.com/errata/RHSA-2024:3527https://access.redhat.com/errata/RHSA-2024:3989https://access.redhat.com/errata/RHSA-2024:4884https://access.redhat.com/security/cve/CVE-2024-1300https://bugzilla.redhat.com/show_bug.cgi?id=2263139https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.