Bug 1212637 (CVE-2023-34462)

Summary: VUL-0: CVE-2023-34462: netty: io.netty:netty-handler: SniHandler 16MB allocation
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370248/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-34462:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-06-23 06:45:34 UTC 
CVE-2023-34462

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers &amp; clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34462
https://bugzilla.redhat.com/show_bug.cgi?id=2216888
https://www.cve.org/CVERecord?id=CVE-2023-34462
http://www.cvedetails.com/cve/CVE-2023-34462/
https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
Comment 4 Maintenance Automation 2023-07-26 08:52:12 UTC 
SUSE-SU-2023:2974-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1212637
CVE References: CVE-2023-34462
Sources used:
openSUSE Leap 15.4 (src): netty-tcnative-2.0.61-150200.3.13.1, netty-4.1.94-150200.4.17.1
openSUSE Leap 15.5 (src): netty-tcnative-2.0.61-150200.3.13.1, netty-4.1.94-150200.4.17.1
Development Tools Module 15-SP4 (src): netty-tcnative-2.0.61-150200.3.13.1
Development Tools Module 15-SP5 (src): netty-tcnative-2.0.61-150200.3.13.1
SUSE Package Hub 15 15-SP5 (src): netty-4.1.94-150200.4.17.1
SUSE Linux Enterprise Real Time 15 SP3 (src): netty-tcnative-2.0.61-150200.3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Fridrich Strba 2024-03-04 12:27:03 UTC 
Fixed. Time to close.
Comment 6 Gabriele Sonnu 2024-06-10 12:57:01 UTC 
All done, closing.