CVE-2023-34462: netty-handler SniHandler 16MB allocation
First published: Tue Jun 20 2023(Updated: )
### Summary The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. ### Details The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler` 1/ allocate a 16MB `ByteBuf` 2/ not fail `decode` method `in` buffer 3/ get out of the loop without an exception The combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection. ### Impact If the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Netty Netty | <4.1.94 | |
| maven/io.netty:netty-handler | <4.1.94.Final | 4.1.94.Final |
| debian/netty | <=1:4.1.48-4+deb11u1 | 1:4.1.33-1+deb10u2 1:4.1.33-1+deb10u4 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-9 |
| redhat/netty | <4.1.94. | 4.1.94. |
| IBM Cognos Analytics | <=12.0-12.0.2 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
- https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
- https://security.netapp.com/advisory/ntap-20230803-0001/
- https://www.debian.org/security/2023/dsa-5558
- https://nvd.nist.gov/vuln/detail/CVE-2023-34462
- https://github.com/advisories/GHSA-6mjq-h674-j845 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2023-34462
- https://www.cve.org/CVERecord?id=CVE-2023-34462
- https://salsa.debian.org/java-team/netty/-/commit/538e85cc9d5a9ff26afcab6d242db4df18a57ce3
- https://security-tracker.debian.org/tracker/CVE-2023-44487
- https://bugs.debian.org/1038947
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038947
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2216893
- https://access.redhat.com/errata/RHSA-2023:5165
- https://access.redhat.com/errata/RHSA-2023:5396
- https://access.redhat.com/errata/RHSA-2023:5441
- https://access.redhat.com/errata/RHSA-2023:5488
- https://access.redhat.com/errata/RHSA-2023:5484
- https://access.redhat.com/errata/RHSA-2023:5485
- https://access.redhat.com/errata/RHSA-2023:5486
- https://access.redhat.com/errata/RHSA-2023:5946
- https://access.redhat.com/errata/RHSA-2023:7653
- https://access.redhat.com/errata/RHSA-2023:7669
- https://access.redhat.com/errata/RHSA-2023:7697
- https://access.redhat.com/errata/RHSA-2023:7700
- https://access.redhat.com/errata/RHSA-2023:7705
- https://access.redhat.com/errata/RHSA-2024:0148
- https://bugzilla.redhat.com/show_bug.cgi?id=2216888
- https://exchange.xforce.ibmcloud.com/vulnerabilities/258713
- https://www.ibm.com/support/pages/node/7149874 (Advisory)
Frequently Asked Questions
What is CVE-2023-34462?
CVE-2023-34462 refers to a vulnerability in the Netty framework that allows the SniHandler to allocate up to 16MB of heap for each channel during the TLS handshake.
How does CVE-2023-34462 impact Netty?
CVE-2023-34462 can result in excessive memory usage by the SniHandler during the TLS handshake, potentially leading to resource exhaustion and denial of service.
What is the severity of CVE-2023-34462?
CVE-2023-34462 has a severity score of 6.5, which is considered medium.
Which versions of Netty are affected by CVE-2023-34462?
Netty versions up to and including 4.1.94 are affected by CVE-2023-34462.
How can CVE-2023-34462 be fixed?
To fix CVE-2023-34462, upgrade to version 4.1.95 or later of the Netty framework.
- collector/nvd-index
- collector/mitre-cve
- collector/github-advisory-latest
- alias/GHSA-6mjq-h674-j845
- alias/CVE-2023-34462
- collector/nvd-cve
- collector/debian-bugs
- collector/github-advisory
- collector/security-tracker-debian
- agent/weakness
- agent/first-publish-date
- agent/softwarecombine
- agent/type
- agent/references
- agent/author
- agent/remedy
- agent/title
- agent/severity
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/tags
- collector/ibm-support
- source/IBM
- vendor/netty
- canonical/netty netty
- package-manager/maven
- package-manager/debian
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0-12.0.2
- version/ibm cognos analytics/11.2.0-11.2.4 fp2