CVE-2023-34462Uncontrolled Resource Consumption in Netty

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
1.0%
top 23.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NettyDebian Netty
Timeline
PublishedJun 22
Latest updateSep 5

Description

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

CVEListV5netty/netty< 4.1.94.Final
NVDnetty/netty< 4.1.94
debiandebian/netty< netty 1:4.1.48-7+deb12u1 (bookworm)
Debiannetty/netty< 1:4.1.48-4+deb11u2+3
Ubuntunetty/netty< 1:4.1.48-4+deb11u2build0.22.04.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
netty vulnerabilities2024-09-05
OSV
CVE-2023-34462: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients2023-06-22
OSV
netty-handler SniHandler 16MB allocation2023-06-20
GHSA
netty-handler SniHandler 16MB allocation2023-06-20

📋Vendor Advisories

5
Ubuntu
Netty vulnerabilities2024-09-05
Oracle
Oracle Oracle NoSQL Database Risk Matrix: Administration (Netty) — CVE-2023-344622024-01-15
Oracle
Oracle Oracle TimesTen In-Memory Database Risk Matrix: EM TimesTen plug-in (Netty) — CVE-2023-344622023-10-15
Red Hat
netty: SniHandler 16MB allocation leads to OOM2023-06-23
Debian
CVE-2023-34462: netty - Netty is an asynchronous event-driven network application framework for rapid de...2023

🕵️Threat Intelligence

1
Fortinet
MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day | FortiGuard Labs2023-06-08