CVE-2024-1300: Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
Description
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Classification
CVE ID: CVE-2024-1300
Problem Types
Missing Release of Memory after Effective LifetimeAffected Products
Vendor: , Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat
Product: , CEQ 3.2, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Cryostat 2 on RHEL 8, Migration Toolkit for Runtimes 1 on RHEL 8, Migration Toolkit for Runtimes 1 on RHEL 8, Migration Toolkit for Runtimes 1 on RHEL 8, Migration Toolkit for Runtimes 1 on RHEL 8, MTA-6.2-RHEL-9, Red Hat AMQ Streams 2.7.0, Red Hat build of Apache Camel 4.4.1 for Spring Boot, Red Hat build of Quarkus 3.2.11.Final, RHINT Service Registry 2.5.11 GA, A-MQ Clients 2, OpenShift Serverless, Red Hat AMQ Broker 7, Red Hat build of Apache Camel for Spring Boot 3, Red Hat Build of Keycloak, Red Hat build of OptaPlanner 8, Red Hat build of Quarkus, Red Hat Data Grid 8, Red Hat Fuse 7, Red Hat Integration Camel K, Red Hat Integration Camel Quarkus, Red Hat JBoss Data Grid 7, Red Hat JBoss Enterprise Application Platform 7, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack 5, Red Hat Process Automation 7
Exploit Prediction Scoring System (EPSS)
EPSS Score: 1.08% (probability of being exploited)
EPSS Percentile: 75.29% (scored less or equal to compared to others)
EPSS Date: 2025-03-27 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-1300https://access.redhat.com/errata/RHSA-2024:1662
https://access.redhat.com/errata/RHSA-2024:1706
https://access.redhat.com/errata/RHSA-2024:1923
https://access.redhat.com/errata/RHSA-2024:2088
https://access.redhat.com/errata/RHSA-2024:2833
https://access.redhat.com/errata/RHSA-2024:3527
https://access.redhat.com/errata/RHSA-2024:3989
https://access.redhat.com/errata/RHSA-2024:4884
https://access.redhat.com/security/cve/CVE-2024-1300
https://bugzilla.redhat.com/show_bug.cgi?id=2263139
https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.