We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-1300

Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support



Assignerredhat
Reserved2024-02-07
Published2024-04-02
Updated2024-08-20

Description

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.



MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Problem types

Uncontrolled Resource Consumption

Product status

Default status
0x4002973bb0

Default status
0x4002973c10

2.4.0-7 before *
unaffected

Default status
0x4002973c90

2.4.0-4 before *
unaffected

Default status
0x4002973d10

2.4.0-4 before *
unaffected

Default status
0x4002973d90

2.4.0-4 before *
unaffected

Default status
0x4002973e10

2.4.0-9 before *
unaffected

Default status
0x4002973e90

2.4.0-4 before *
unaffected

Default status
0x4002973f10

1.2-18 before *
unaffected

Default status
0x40029b8010

1.2-11 before *
unaffected

Default status
0x40029b8090

1.2-12 before *
unaffected

Default status
0x40029b8110

1.2-10 before *
unaffected

Default status
0x40029b8190

6.2.3-2 before *
unaffected

Default status
0x40029b8210

Default status
0x40029b8270

Default status
0x40029b82d0

4.4.8.redhat-00001 before *
unaffected

Default status
0x40029b8350

Default status
0x40029b83b0

Default status
0x40029b8410

Default status
0x40029b8470

Default status
0x40029b84d0

Default status
0x40029b8530

Default status
0x40029b8590

Default status
0x40029b85f0

Default status
0x40029b8650

Default status
0x40029b86b0

Default status
0x40029b8710

Default status
0x40029b8770

Default status
0x40029b87d0

Default status
0x40029b8830

Default status
0x40029b8890

Default status
0x40029b88f0

Default status
0x40029b8950

Timeline

2024-02-07:Reported to Red Hat.
2024-02-06:Made public.

References

https://access.redhat.com/errata/RHSA-2024:1662 (RHSA-2024:1662) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:1706 (RHSA-2024:1706) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:1923 (RHSA-2024:1923) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:2088 (RHSA-2024:2088) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:2833 (RHSA-2024:2833) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:3527 (RHSA-2024:3527) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:3989 (RHSA-2024:3989) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:4884 (RHSA-2024:4884) vendor-advisory

https://access.redhat.com/security/cve/CVE-2024-1300 vdb-entry

https://bugzilla.redhat.com/show_bug.cgi?id=2263139 (RHBZ#2263139) issue-tracking

https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.

cve.org CVE-2024-1300

nvd.nist.gov CVE-2024-1300

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-1300