You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.
CVE-2023-34462 - Medium Severity Vulnerability
Vulnerable Library - netty-handler-4.1.34.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /spring-distributed-tracing/admin-server/pom.xml
Path to vulnerable library: /root/.m2/repository/io/netty/netty-handler/4.1.34.Final/netty-handler-4.1.34.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The
SniHandler
can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using theSniHandler
to allocate 16MB of heap. TheSniHandler
class is a handler that waits for the TLS handshake to configure aSslHandler
according to the indicated server name by theClientHello
record. For this matter it allocates aByteBuf
using the value defined in theClientHello
record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes theSslClientHelloHandler
. This vulnerability has been fixed in version 4.1.94.Final.Publish Date: 2023-06-22
URL: CVE-2023-34462
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6mjq-h674-j845
Release Date: 2023-06-22
Fix Resolution (io.netty:netty-handler): 4.1.94.Final
Direct dependency fix Resolution (de.codecentric:spring-boot-admin-starter-server): 3.1.5
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: