CVE-2023-34462

NameCVE-2023-34462
DescriptionNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5558-1
Debian Bugs1038947

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)jessie, jessie (lts)1:3.2.6.Final-2+deb8u2fixed
stretch (security)1:4.1.7-2+deb9u3fixed
stretch (lts), stretch1:4.1.7-2+deb9u5fixed
buster (security), buster, buster (lts)1:4.1.33-1+deb10u5fixed
bullseye (security), bullseye1:4.1.48-4+deb11u2fixed
bookworm (security), bookworm1:4.1.48-7+deb12u1fixed
sid, trixie1:4.1.48-10fixed
netty-3.9 (PTS)jessie, jessie (lts)3.9.0.Final-1+deb8u2fixed
stretch (security)3.9.9.Final-1+deb9u1fixed
stretch (lts), stretch3.9.9.Final-1+deb9u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysourcejessie(not affected)
nettysourcestretch(not affected)
nettysourcebuster(not affected)
nettysourcebullseye1:4.1.48-4+deb11u2DSA-5558-1
nettysourcebookworm1:4.1.48-7+deb12u1DSA-5558-1
nettysource(unstable)1:4.1.48-81038947
netty-3.9source(unstable)(not affected)

Notes

[buster] - netty <not-affected> (SslClientHelloHandler introduced in v4.1.46)
https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 (netty-4.1.94.Final)
[stretch] - netty <not-affected> (SslClientHelloHandler introduced in v4.1.46)
[jessie] - netty <not-affected> (SNI support introduced in v4.1)
- netty-3.9 <not-affected> (SNI support introduced in v4.1)

Search for package or bug name: Reporting problems