CVE-2024-1300

EPSS 0.1%
Published 02.04.2024 08:15:53
Last modified 25.11.2024 03:15:10
Source secalert@redhat.com
Teams watchlist Login
Open Login

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Affected products Warnungen 0 Metrics 2 CWE 1 References 14

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://vertx.io/docs/vertx-core/java/

≫

Package io.vertx:vertx-core

Default Statusunaffected

Version <= 4.5.2

Version 4.3.4

Status affected

VendorRed Hat

≫

Product CEQ 3.2

Default Statusunaffected

VendorRed Hat

≫

Product Cryostat 2 on RHEL 8

Default Statusaffected

Version < *

Version 2.4.0-7

Status unaffected

VendorRed Hat

≫

Product Cryostat 2 on RHEL 8

Default Statusaffected

Version < *

Version 2.4.0-4

Status unaffected

VendorRed Hat

≫

Product Cryostat 2 on RHEL 8

Default Statusaffected

Version < *

Version 2.4.0-4

Status unaffected

VendorRed Hat

≫

Product Cryostat 2 on RHEL 8

Default Statusaffected

Version < *

Version 2.4.0-4

Status unaffected

VendorRed Hat

≫

Product Cryostat 2 on RHEL 8

Default Statusaffected

Version < *

Version 2.4.0-9

Status unaffected

VendorRed Hat

≫

Product Cryostat 2 on RHEL 8

Default Statusaffected

Version < *

Version 2.4.0-4

Status unaffected

VendorRed Hat

≫

Product Migration Toolkit for Runtimes 1 on RHEL 8

Default Statusaffected

Version < *

Version 1.2-18

Status unaffected

VendorRed Hat

≫

Product Migration Toolkit for Runtimes 1 on RHEL 8

Default Statusaffected

Version < *

Version 1.2-11

Status unaffected

VendorRed Hat

≫

Product Migration Toolkit for Runtimes 1 on RHEL 8

Default Statusaffected

Version < *

Version 1.2-12

Status unaffected

VendorRed Hat

≫

Product Migration Toolkit for Runtimes 1 on RHEL 8

Default Statusaffected

Version < *

Version 1.2-10

Status unaffected

VendorRed Hat

≫

Product MTA-6.2-RHEL-9

Default Statusaffected

Version < *

Version 6.2.3-2

Status unaffected

VendorRed Hat

≫

Product Red Hat AMQ Streams 2.7.0

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat build of Quarkus 3.2.11.Final

Default Statusaffected

Version < *

Version 4.4.8.redhat-00001

Status unaffected

VendorRed Hat

≫

Product RHINT Service Registry 2.5.11 GA

Default Statusunaffected

VendorRed Hat

≫

Product A-MQ Clients 2

Default Statusunaffected

VendorRed Hat

≫

Product OpenShift Serverless

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat AMQ Broker 7

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat build of Apache Camel for Spring Boot 3

Default Statusaffected

VendorRed Hat

≫

Product Red Hat Build of Keycloak

Default Statusaffected

VendorRed Hat

≫

Product Red Hat build of OptaPlanner 8

Default Statusaffected

VendorRed Hat

≫

Product Red Hat build of Quarkus

Default Statusaffected

VendorRed Hat

≫

Product Red Hat Data Grid 8

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Fuse 7

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Integration Camel K 1

Default Statusaffected

VendorRed Hat

≫

Product Red Hat Integration Camel Quarkus 2

Default Statusaffected

VendorRed Hat

≫

Product Red Hat JBoss Data Grid 7

Default Statusaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 7

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 8

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform Expansion Pack

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Process Automation 7

Default Statusaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.281

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

https://access.redhat.com/errata/RHSA-2024:1662

https://access.redhat.com/errata/RHSA-2024:1706

https://access.redhat.com/errata/RHSA-2024:2088

https://access.redhat.com/errata/RHSA-2024:2833

https://access.redhat.com/errata/RHSA-2024:3527

https://access.redhat.com/errata/RHSA-2024:3989

https://access.redhat.com/errata/RHSA-2024:4884

https://access.redhat.com/errata/RHSA-2024:1923

https://access.redhat.com/security/cve/CVE-2024-1300

https://bugzilla.redhat.com/show_bug.cgi?id=2263139

https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.

https://nvd.nist.gov/vuln/detail/CVE-2024-1300

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1300

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1300

EUVD