CVE-2024-1300

medium

Description

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

References

https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.

https://bugzilla.redhat.com/show_bug.cgi?id=2263139

https://access.redhat.com/security/cve/CVE-2024-1300

https://access.redhat.com/errata/RHSA-2024:4884

https://access.redhat.com/errata/RHSA-2024:3989

https://access.redhat.com/errata/RHSA-2024:3527

https://access.redhat.com/errata/RHSA-2024:2833

https://access.redhat.com/errata/RHSA-2024:2088

https://access.redhat.com/errata/RHSA-2024:1923

https://access.redhat.com/errata/RHSA-2024:1706

https://access.redhat.com/errata/RHSA-2024:1662

Details

Source: Mitre, NVD

Published: 2024-04-02

Updated: 2024-11-25

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Severity: Medium