{ "threat_severity" : "Moderate", "public_date" : "2024-02-06T00:00:00Z", "bugzilla" : { "description" : "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", "id" : "2263139", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2263139" }, "cvss3" : { "cvss3_base_score" : "5.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-772", "details" : [ "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.", "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error." ], "statement" : "This affects only TLS servers with SNI enabled.", "affected_release" : [ { "product_name" : "CEQ 3.2", "release_date" : "2024-04-09T00:00:00Z", "advisory" : "RHSA-2024:1706", "cpe" : "cpe:/a:redhat:camel_quarkus:3", "package" : "vertx-core" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2024-04-29T00:00:00Z", "advisory" : "RHSA-2024:2088", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-7" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2024-04-29T00:00:00Z", "advisory" : "RHSA-2024:2088", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-operator-bundle:2.4.0-4" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2024-04-29T00:00:00Z", "advisory" : "RHSA-2024:2088", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-4" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2024-04-29T00:00:00Z", "advisory" : "RHSA-2024:2088", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-rhel8:2.4.0-4" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2024-04-29T00:00:00Z", "advisory" : "RHSA-2024:2088", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-9" }, { "product_name" : "Cryostat 2 on RHEL 8", "release_date" : "2024-04-29T00:00:00Z", "advisory" : "RHSA-2024:2088", "cpe" : "cpe:/a:redhat:cryostat:2::el8", "package" : "cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-4" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1923", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-operator-bundle:1.2-18" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1923", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-rhel8-operator:1.2-11" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1923", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-container-rhel8:1.2-12" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1923", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-executor-container-rhel8:1.2-10" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-06-20T00:00:00Z", "advisory" : "RHSA-2024:3989", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.3-2" }, { "product_name" : "Red Hat AMQ Streams 2.7.0", "release_date" : "2024-05-30T00:00:00Z", "advisory" : "RHSA-2024:3527", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "vertx-core" }, { "product_name" : "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2", "release_date" : "2024-07-25T00:00:00Z", "advisory" : "RHSA-2024:4884", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.4::el6", "package" : "vertx-core" }, { "product_name" : "Red Hat build of Quarkus 3.2.11.Final", "release_date" : "2024-04-03T00:00:00Z", "advisory" : "RHSA-2024:1662", "cpe" : "cpe:/a:redhat:quarkus:3.2::el8", "package" : "io.vertx/vertx-core:4.4.8.redhat-00001" }, { "product_name" : "RHINT Service Registry 2.5.11 GA", "release_date" : "2024-05-14T00:00:00Z", "advisory" : "RHSA-2024:2833", "cpe" : "cpe:/a:redhat:service_registry:2.5", "package" : "vertx-core" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Will not fix", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Will not fix", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Will not fix", "package_name" : "io.vertx/vertx-core", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 2", "fix_state" : "Will not fix", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Will not fix", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "vertx-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-1300\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1300\nhttps://vertx.io/docs/vertx-core/java/#_server_name_indication_sni." ], "name" : "CVE-2024-1300", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }