CVE-2024-1300

Summary

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Affected Software

VendorProductVersion RangeStatus
4.3.4 <= 4.5.2affected
Red HatCryostat 2 on RHEL 82.4.0-7 < *unaffected
Red HatCryostat 2 on RHEL 82.4.0-4 < *unaffected
Red HatCryostat 2 on RHEL 82.4.0-4 < *unaffected
Red HatCryostat 2 on RHEL 82.4.0-4 < *unaffected
Red HatCryostat 2 on RHEL 82.4.0-9 < *unaffected
Red HatCryostat 2 on RHEL 82.4.0-4 < *unaffected
Red HatMigration Toolkit for Runtimes 1 on RHEL 81.2-18 < *unaffected
Red HatMigration Toolkit for Runtimes 1 on RHEL 81.2-11 < *unaffected
Red HatMigration Toolkit for Runtimes 1 on RHEL 81.2-12 < *unaffected
Red HatMigration Toolkit for Runtimes 1 on RHEL 81.2-10 < *unaffected
Red HatMTA-6.2-RHEL-96.2.3-2 < *unaffected
Red HatRed Hat build of Quarkus 3.2.11.Final4.4.8.redhat-00001 < *unaffected

Weaknesses

  • CWE-772: Missing Release of Resource after Effective Lifetime

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References