Описание
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
A flaw was found in Netty's SslHandler. This vulnerability allows a native crash via a specially crafted packet that bypasses proper validation.
Отчет
This vulnerability in Netty's SslHandler is of important severity rather than moderate because it directly impacts the stability and reliability of applications using native SSLEngine. By sending a specially crafted packet, an attacker can trigger a native crash, leading to a complete process termination. Unlike typical moderate vulnerabilities that might cause limited disruptions or require specific conditions, this flaw can be exploited remotely to induce a Denial of Service (DoS), affecting high-availability systems and mission-critical services.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| AMQ Clients | io.netty/netty-handler | Affected | ||
| A-MQ Clients 2 | io.netty/netty-handler | Affected | ||
| Cryostat 3 | io.netty/netty-handler | Affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Affected | ||
| OpenShift Serverless | io.netty/netty-handler | Affected | ||
| Red Hat AMQ Broker 7 | io.netty/netty-handler | Affected | ||
| Red Hat build of Apicurio Registry 2 | io.netty/netty-handler | Affected | ||
| Red Hat build of Apicurio Registry 3 | io.netty/netty-handler | Affected | ||
| Red Hat build of Debezium 2 | io.netty/netty-handler | Will not fix | ||
| Red Hat build of OptaPlanner 8 | io.netty/netty-handler | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Netty, an asynchronous, event-driven network application framework, ha ...
SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
Уязвимость сетевого программного средства Netty, связанная с неправильной проверкой входных данных, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3