Bug 1212637 (CVE-2023-34462) - VUL-0: CVE-2023-34462: netty: io.netty:netty-handler: SniHandler 16MB allocation
Summary: VUL-0: CVE-2023-34462: netty: io.netty:netty-handler: SniHandler 16MB allocation
Status: RESOLVED FIXED
Alias: CVE-2023-34462
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/370248/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-34462:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-23 06:45 UTC by Robert Frohl
Modified: 2024-06-10 12:57 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-06-23 06:45:34 UTC 
CVE-2023-34462

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34462
https://bugzilla.redhat.com/show_bug.cgi?id=2216888
https://www.cve.org/CVERecord?id=CVE-2023-34462
http://www.cvedetails.com/cve/CVE-2023-34462/
https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
Comment 4 Maintenance Automation 2023-07-26 08:52:12 UTC 
SUSE-SU-2023:2974-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1212637
CVE References: CVE-2023-34462
Sources used:
openSUSE Leap 15.4 (src): netty-tcnative-2.0.61-150200.3.13.1, netty-4.1.94-150200.4.17.1
openSUSE Leap 15.5 (src): netty-tcnative-2.0.61-150200.3.13.1, netty-4.1.94-150200.4.17.1
Development Tools Module 15-SP4 (src): netty-tcnative-2.0.61-150200.3.13.1
Development Tools Module 15-SP5 (src): netty-tcnative-2.0.61-150200.3.13.1
SUSE Package Hub 15 15-SP5 (src): netty-4.1.94-150200.4.17.1
SUSE Linux Enterprise Real Time 15 SP3 (src): netty-tcnative-2.0.61-150200.3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Fridrich Strba 2024-03-04 12:27:03 UTC 
Fixed. Time to close.
Comment 6 Gabriele Sonnu 2024-06-10 12:57:01 UTC 
All done, closing.