UBUNTU-CVE-2023-34462
See a problem?- Source
- https://ubuntu.com/security/notices/UBUNTU-CVE-2023-34462
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-34462.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-34462
- Related
- Published
- 2023-06-22T23:15:00Z
- Modified
- 2023-06-22T23:15:00Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The
SniHandlercan allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using theSniHandlerto allocate 16MB of heap. TheSniHandlerclass is a handler that waits for the TLS handshake to configure aSslHandleraccording to the indicated server name by theClientHellorecord. For this matter it allocates aByteBufusing the value defined in theClientHellorecord. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes theSslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final. - References
Affected packages
Ubuntu:22.04:LTS / netty
Package
- Name
- netty
- Purl
- pkg:deb/ubuntu/netty@1:4.1.48-4+deb11u2build0.22.04.1?arch=src?distro=jammy