CVE Vulnerabilities

CVE-2023-34462

Uncontrolled Resource Consumption

Published: Jun 22, 2023 | Modified: Nov 21, 2024
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Name Vendor Start Version End Version
Netty Netty * 4.1.94 (excluding)
AMQ Clients RedHat netty *
Cryostat 2 on RHEL 8 RedHat cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-2 *
Cryostat 2 on RHEL 8 RedHat cryostat-tech-preview/cryostat-operator-bundle:2.4.0-2 *
Cryostat 2 on RHEL 8 RedHat cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-2 *
Cryostat 2 on RHEL 8 RedHat cryostat-tech-preview/cryostat-rhel8:2.4.0-2 *
Cryostat 2 on RHEL 8 RedHat cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-3 *
Cryostat 2 on RHEL 8 RedHat cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-2 *
EAP 7.4.13 RedHat netty *
Red Hat AMQ Broker 7 RedHat netty *
Red Hat AMQ Streams 2.5.0 RedHat *
Red Hat build of Quarkus 2.13.9.Final RedHat io.netty/netty-handler:4.1.100.Final-redhat-00001 *
Red Hat Data Grid 8.4.4 RedHat netty *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 RedHat eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 RedHat eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 RedHat eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el9eap *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 RedHat eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el9eap *
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 RedHat eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 RedHat eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el7eap *
RHINT Camel-K 1.10.5 RedHat netty *
RHINT Camel-Springboot 4.0.0 RedHat netty *
RHINT Service Registry 2.5.4 GA RedHat netty *
Netty Ubuntu bionic *
Netty Ubuntu esm-apps/jammy *
Netty Ubuntu esm-apps/noble *
Netty Ubuntu jammy *
Netty Ubuntu kinetic *
Netty Ubuntu lunar *
Netty Ubuntu mantic *
Netty Ubuntu noble *
Netty Ubuntu oracular *
Netty Ubuntu trusty *
Netty Ubuntu xenial *

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References