CVE-2023-4586: Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack
First published: Tue Aug 29 2023(Updated: )
## Withdrawn Advisory This advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). This link is maintained to preserve external references. ## Original Description Netty-handler has been found to no validate hostnames when using TLS in its default configuration. As a result netty-handler is vulnerable to man-in-the-middle attacks. Users would need to set the protocol to "HTTPS" in the SSLParameters of the SSLEngine to opt in to host name validation. A change in default behavior is expected in the `5.x` release branch with no backport planned. In the interim users are advised to enable host name validation in their configurations. See https://github.com/netty/netty/issues/8537 for details on the forthcoming change in default behavior.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Netty Netty | >=4.1.0<=4.1.99 | |
| Redhat Data Grid | =8.0.0 | |
| Infinispan Hot Rod | ||
| maven/io.netty:netty-handler | >=4.1.0.Final<=4.1.99.Final | |
| Netty Netty | >=4.1.0<5.0.0 | |
| =8.0.0 | ||
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-4586
- https://access.redhat.com/security/cve/CVE-2023-4586
- https://bugzilla.redhat.com/show_bug.cgi?id=2235564
- https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1042268
- https://github.com/netty/netty/issues/8537
- https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#setEndpointIdentificationAlgorithm-java.lang.String-
- https://github.com/advisories/GHSA-57m8-f3v5-hm5m (Advisory)
- https://access.redhat.com/errata/RHSA-2023:7676
- https://www.cve.org/CVERecord?id=CVE-2023-4586 https://nvd.nist.gov/vuln/detail/CVE-2023-4586 https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1042268
Frequently Asked Questions
What is CVE-2023-4586?
CVE-2023-4586 is a vulnerability in the Hot Rod client that allows man-in-the-middle attacks due to a lack of hostname validation.
How does CVE-2023-4586 impact Netty-handler?
CVE-2023-4586 affects Netty-handler by not validating hostnames when using TLS in its default configuration, making it vulnerable to man-in-the-middle attacks.
How can users mitigate the risk of CVE-2023-4586?
To mitigate the risk of CVE-2023-4586, users should set the protocol to "HTTPS" in the SSLParameters of the SSLEngine to enable hostname validation.
Which software versions are affected by CVE-2023-4586?
CVE-2023-4586 affects Netty-handler versions 4.1.0.Final to 4.1.99.Final, Netty versions 4.1.0 to 4.1.99, Redhat Data Grid version 8.0.0, and Infinispan Hot Rod.
What is the severity of CVE-2023-4586?
The severity of CVE-2023-4586 is high, with a CVSS score of 7.4.
- collector/redhat-cve
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-57m8-f3v5-hm5m
- alias/CVE-2023-4586
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/author
- agent/weakness
- agent/title
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/event
- agent/tags
- agent/trending
- vendor/netty
- canonical/netty netty
- version/netty netty/4.1.0
- version/netty netty/4.1.99
- vendor/redhat
- canonical/redhat data grid
- version/redhat data grid/8.0.0
- vendor/infinispan
- canonical/infinispan hot rod
- package-manager/maven