Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.
Weakness
The product does not properly control the allocation and maintenance of a limited resource.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Netty | Netty | * | 4.1.94 (excluding) |
| AMQ Clients | RedHat | netty | * |
| Cryostat 2 on RHEL 8 | RedHat | cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-2 | * |
| Cryostat 2 on RHEL 8 | RedHat | cryostat-tech-preview/cryostat-operator-bundle:2.4.0-2 | * |
| Cryostat 2 on RHEL 8 | RedHat | cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-2 | * |
| Cryostat 2 on RHEL 8 | RedHat | cryostat-tech-preview/cryostat-rhel8:2.4.0-2 | * |
| Cryostat 2 on RHEL 8 | RedHat | cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-3 | * |
| Cryostat 2 on RHEL 8 | RedHat | cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-2 | * |
| Red Hat AMQ Broker 7 | RedHat | netty | * |
| Red Hat AMQ Streams 2.5.0 | RedHat | * | |
| Red Hat build of Quarkus 2.13.9.Final | RedHat | io.netty/netty-handler:4.1.100.Final-redhat-00001 | * |
| Red Hat Data Grid 8.4.4 | RedHat | netty | * |
| Red Hat JBoss Enterprise Application Platform 7 | RedHat | netty | * |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | RedHat | eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el8eap | * |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | RedHat | eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el8eap | * |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | RedHat | eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el9eap | * |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | RedHat | eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el9eap | * |
| Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | RedHat | eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el7eap | * |
| Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | RedHat | eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el7eap | * |
| RHINT Camel-K 1.10.5 | RedHat | netty | * |
| RHINT Camel-Springboot 4.0.0 | RedHat | netty | * |
| RHINT Service Registry 2.5.4 GA | RedHat | netty | * |
| Netty | Ubuntu | bionic | * |
| Netty | Ubuntu | esm-apps/jammy | * |
| Netty | Ubuntu | esm-apps/noble | * |
| Netty | Ubuntu | jammy | * |
| Netty | Ubuntu | kinetic | * |
| Netty | Ubuntu | lunar | * |
| Netty | Ubuntu | mantic | * |
| Netty | Ubuntu | noble | * |
| Netty | Ubuntu | oracular | * |
| Netty | Ubuntu | plucky | * |
| Netty | Ubuntu | trusty | * |
| Netty | Ubuntu | xenial | * |
Potential Mitigations
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/147.html
- https://cwe.mitre.org/data/definitions/227.html
- https://cwe.mitre.org/data/definitions/492.html
References
- https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
- https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
- https://security.netapp.com/advisory/ntap-20230803-0001/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://www.debian.org/security/2023/dsa-5558
- https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
- https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
- https://security.netapp.com/advisory/ntap-20230803-0001/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://www.debian.org/security/2023/dsa-5558