Memory Leak in TLS and SNI Support in Eclipse Vert.x Toolkit Allows Attackers to Trigger JVM Out-of-Memory Error
CVE-2024-1300

5.4MEDIUM

Key Information:

Vendor
Red Hat
Status
Ceq 3.2
Cryostat 2 On Rhel 8
Migration Toolkit For Runtimes 1 On Rhel 8
Mta-6.2-rhel-9
Vendor
CVE Published:
2 April 2024

Summary

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

References

https://access.redhat.com/errata/RHSA-2024:1662
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1706
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1923
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Collectors

NVD DatabaseMitre Database
.