[
https://issues.apache.org/jira/browse/HDDS-9034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Doroszlai resolved HDDS-9034.
------------------------------------
Fix Version/s: 1.4.0
Resolution: Done
> Bump Netty Project to 4.1.94.Final
> ----------------------------------
>
> Key: HDDS-9034
> URL: https://issues.apache.org/jira/browse/HDDS-9034
> Project: Apache Ozone
> Issue Type: Task
> Reporter: Rohit Kumar
> Assignee: Rohit Kumar
> Priority: Minor
> Labels: pull-request-available
> Fix For: 1.4.0
>
>
> Upgrade Netty Project to 4.1.94.Final due to CVE-2023-34462
> The `SniHandler` can allocate up to 16MB of heap for each channel during the
> TLS handshake. When the handler or the channel does not have an idle timeout,
> it can be used to make a TCP server using the `SniHandler` to allocate 16MB
> of heap. The `SniHandler` class is a handler that waits for the TLS handshake
> to configure a `SslHandler` according to the indicated server name by the
> `ClientHello` record. For this matter it allocates a `ByteBuf` using the
> value defined in the `ClientHello` record. Normally the value of the packet
> should be smaller than the handshake packet but there are not checks done
> here and the way the code is written, it is possible to craft a packet that
> makes the `SslClientHelloHandler`. This vulnerability has been fixed in
> version 4.1.94.Final.
> CVSSv3 Score:- 6.5(Medium)
> [https://nvd.nist.gov/vuln/detail/CVE-2023-34462]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
