CVE-2023-34462

NameCVE-2023-34462
DescriptionNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5558-1
Debian Bugs1038947

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)bullseye (security), bullseye1:4.1.48-4+deb11u2fixed
bookworm, bookworm (security)1:4.1.48-7+deb12u1fixed
sid, trixie1:4.1.48-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysourcebuster(not affected)
nettysourcebullseye1:4.1.48-4+deb11u2DSA-5558-1
nettysourcebookworm1:4.1.48-7+deb12u1DSA-5558-1
nettysource(unstable)1:4.1.48-81038947

Notes

[buster] - netty <not-affected> (SslClientHelloHandler introduced in v4.1.46)
https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 (netty-4.1.94.Final)

Search for package or bug name: Reporting problems