Описание
In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).
This is fixed in the 4.5.10 version.
Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)
A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Serverless | io.vertx/vertx-grpc-server | Affected | ||
| Red Hat build of Quarkus | io.vertx.vertx-grpc-server | Under investigation | ||
| Red Hat JBoss Enterprise Application Platform 8 | io.vertx/vertx-grpc-client | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 8 | io.vertx/vertx-grpc-server | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | io.vertx/vertx-grpc | Affected | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | io.vertx/vertx-grpc-client | Fixed | RHSA-2024:7052 | 24.09.2024 |
| Red Hat build of Apache Camel 4 for Quarkus 3 | io.vertx/vertx-grpc-server | Fixed | RHSA-2024:7052 | 24.09.2024 |
| Red Hat build of Quarkus 3.8.6.redhat | io.vertx/vertx-grpc-client | Fixed | RHSA-2024:6437 | 23.09.2024 |
| Red Hat build of Quarkus 3.8.6.redhat | io.vertx/vertx-grpc-server | Fixed | RHSA-2024:6437 | 23.09.2024 |
| Red Hat JBoss EAP XP 5.0 Update 1.0 | io.vertx/vertx-grpc | Fixed | RHSA-2025:0542 | 21.01.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)
Vertx gRPC server does not limit the maximum message size
EPSS
7.5 High
CVSS3