CVE-2024-1023: Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
Sign up for FREE to recieve instant alerts about this vulnerability!
Description
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
Classification
CVE ID: CVE-2024-1023
Problem Types
Missing Release of Memory after Effective LifetimeAffected Products
Vendor: , Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat
Product: , CEQ 3.2, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, MTA-6.2-RHEL-9, Red Hat AMQ Streams 2.7.0, Red Hat build of Apache Camel 4.4.1 for Spring Boot, Red Hat build of Quarkus 3.2.11.Final, RHINT Service Registry 2.5.11 GA, A-MQ Clients 2, Migration Toolkit for Runtimes, OpenShift Serverless, Red Hat AMQ Broker 7, Red Hat build of Apache Camel for Spring Boot 3, Red Hat Build of Keycloak, Red Hat build of OptaPlanner 8, Red Hat build of Quarkus, Red Hat Data Grid 8, Red Hat Fuse 7, Red Hat Integration Camel K, Red Hat Integration Camel Quarkus, Red Hat JBoss Data Grid 7, Red Hat JBoss Enterprise Application Platform 7, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack 5, Red Hat Process Automation 7
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.05% (probability of being exploited)
EPSS Percentile: 0.16875 (how common is this exploit)
EPSS Date: 2025-03-07 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: poc
SSVC Technical Impact: partial
SSVC Automatable: false