CVE-2024-1300

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-1300
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2024:1662
https://access.redhat.com/errata/RHSA-2024:1706
https://access.redhat.com/errata/RHSA-2024:1923
https://access.redhat.com/errata/RHSA-2024:2088
https://access.redhat.com/errata/RHSA-2024:2833
https://access.redhat.com/errata/RHSA-2024:3527
https://access.redhat.com/errata/RHSA-2024:3989
https://access.redhat.com/errata/RHSA-2024:4884
https://access.redhat.com/security/cve/CVE-2024-1300
https://bugzilla.redhat.com/show_bug.cgi?id=2263139
https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.
https://access.redhat.com/errata/RHSA-2024:1662
https://access.redhat.com/errata/RHSA-2024:1706
https://access.redhat.com/errata/RHSA-2024:1923
https://access.redhat.com/errata/RHSA-2024:2088
https://access.redhat.com/errata/RHSA-2024:2833
https://access.redhat.com/errata/RHSA-2024:3527
https://access.redhat.com/errata/RHSA-2024:3989
https://access.redhat.com/errata/RHSA-2024:4884
https://access.redhat.com/security/cve/CVE-2024-1300
https://bugzilla.redhat.com/show_bug.cgi?id=2263139
https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.
Configurations

No configuration.

History

25 Nov 2024, 03:15

Type Values Removed Values Added
CWE CWE-400 CWE-401

21 Nov 2024, 08:50

Type Values Removed Values Added
References () https://access.redhat.com/errata/RHSA-2024:1662 - () https://access.redhat.com/errata/RHSA-2024:1662 -
References () https://access.redhat.com/errata/RHSA-2024:1706 - () https://access.redhat.com/errata/RHSA-2024:1706 -
References () https://access.redhat.com/errata/RHSA-2024:1923 - () https://access.redhat.com/errata/RHSA-2024:1923 -
References () https://access.redhat.com/errata/RHSA-2024:2088 - () https://access.redhat.com/errata/RHSA-2024:2088 -
References () https://access.redhat.com/errata/RHSA-2024:2833 - () https://access.redhat.com/errata/RHSA-2024:2833 -
References () https://access.redhat.com/errata/RHSA-2024:3527 - () https://access.redhat.com/errata/RHSA-2024:3527 -
References () https://access.redhat.com/errata/RHSA-2024:3989 - () https://access.redhat.com/errata/RHSA-2024:3989 -
References () https://access.redhat.com/errata/RHSA-2024:4884 - () https://access.redhat.com/errata/RHSA-2024:4884 -
References () https://access.redhat.com/security/cve/CVE-2024-1300 - () https://access.redhat.com/security/cve/CVE-2024-1300 -
References () https://bugzilla.redhat.com/show_bug.cgi?id=2263139 - () https://bugzilla.redhat.com/show_bug.cgi?id=2263139 -
References () https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni. - () https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni. -

25 Jul 2024, 21:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:4884 -

20 Jun 2024, 06:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:3989 -

31 May 2024, 01:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:3527 -

14 May 2024, 16:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:2833 -

29 Apr 2024, 07:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:2088 -

18 Apr 2024, 17:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:1923 -

09 Apr 2024, 12:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:1706 -

04 Apr 2024, 16:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4
CWE CWE-400

03 Apr 2024, 13:16

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:1662 -

02 Apr 2024, 12:50

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en Eclipse Vert.x toolkit provoca una pérdida de memoria en servidores TCP configurados con soporte TLS y SNI. Al procesar un nombre de servidor SNI desconocido al que se le asigna el certificado predeterminado en lugar de un certificado asignado, el contexto SSL se almacena en caché por error en el mapa de nombres del servidor, lo que provoca que se agote la memoria. Esta falla permite a los atacantes enviar mensajes de saludo al cliente TLS con nombres de servidor falsos, lo que provoca un error de falta de memoria de JVM.

02 Apr 2024, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-02 08:15

Updated : 2024-11-25 03:15

NVD link : CVE-2024-1300

Mitre link : CVE-2024-1300

CVE.ORG link : CVE-2024-1300

JSON object : View

Products Affected

No product.

CWE
CWE-401

Missing Release of Memory after Effective Lifetime