Описание
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Отчет
This affects only TLS servers with SNI enabled.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | vertx-core | Not affected | ||
| OpenShift Serverless | vertx-core | Not affected | ||
| Red Hat AMQ Broker 7 | vertx-core | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | vertx-core | Will not fix | ||
| Red Hat Build of Keycloak | vertx-core | Affected | ||
| Red Hat build of OptaPlanner 8 | vertx-core | Will not fix | ||
| Red Hat build of Quarkus | io.vertx/vertx-core | Will not fix | ||
| Red Hat Data Grid 8 | vertx-core | Not affected | ||
| Red Hat Fuse 7 | vertx-core | Not affected | ||
| Red Hat Integration Camel K 1 | vertx-core | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.4 Medium
CVSS3
Связанные уязвимости
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Eclipse Vert.x vulnerable to a memory leak in TCP servers
Уязвимость набора инструментов Eclipse Vert.x, связанная с утечкой памяти, позволяющая нарушителю раскрыть защищаемую информацию или вызвать отказ в обслуживании
EPSS
5.4 Medium
CVSS3