{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1023", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-01-29T10:54:44.360Z", "datePublished": "2024-03-27T07:51:15.716Z", "dateUpdated": "2025-02-27T03:21:28.665Z"}, "containers": {"cna": {"title": "Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak."}], "affected": [{"versions": [{"status": "affected", "version": "4.4.5"}, {"status": "affected", "version": "4.4.6"}, {"status": "affected", "version": "4.5.0"}, {"status": "affected", "version": "4.5.1"}], "packageName": "vertx-core", "collectionURL": "https://mvnrepository.com/artifact/io.vertx", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "CEQ 3.2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "vert.x", "cpes": ["cpe:/a:redhat:camel_quarkus:3"]}, {"vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8", "defaultStatus": "affected", "versions": [{"version": "2.4.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:2::el8"]}, {"vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat-tech-preview/cryostat-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "2.4.0-4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:2::el8"]}, {"vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat-tech-preview/cryostat-reports-rhel8", "defaultStatus": "affected", "versions": [{"version": "2.4.0-4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:2::el8"]}, {"vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat-tech-preview/cryostat-rhel8", "defaultStatus": "affected", "versions": [{"version": "2.4.0-4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:2::el8"]}, {"vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat-tech-preview/cryostat-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "2.4.0-9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:2::el8"]}, {"vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat-tech-preview/jfr-datasource-rhel8", "defaultStatus": "affected", "versions": [{"version": "2.4.0-4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:2::el8"]}, {"vendor": "Red Hat", "product": "MTA-6.2-RHEL-9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "mta/mta-windup-addon-rhel9", "defaultStatus": "affected", "versions": [{"version": "6.2.3-2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "cpe:/a:redhat:migration_toolkit_applications:6.2::el8"]}, {"vendor": "Red Hat", "product": "Red Hat AMQ Streams 2.7.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "vert.x", "cpes": ["cpe:/a:redhat:amq_streams:2"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "vert.x", "cpes": ["cpe:/a:redhat:apache_camel_spring_boot:4.4.1"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.2.11.Final", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.vertx/vertx-core", "defaultStatus": "affected", "versions": [{"version": "4.4.8.redhat-00001", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:3.2::el8"]}, {"vendor": "Red Hat", "product": "RHINT Service Registry 2.5.11 GA", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "vert.x", "cpes": ["cpe:/a:redhat:service_registry:2.5"]}, {"vendor": "Red Hat", "product": "A-MQ Clients 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:a_mq_clients:2"]}, {"vendor": "Red Hat", "product": "Migration Toolkit for Runtimes", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1"]}, {"vendor": "Red Hat", "product": "OpenShift Serverless", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:serverless:1"]}, {"vendor": "Red Hat", "product": "Red Hat AMQ Broker 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:amq_broker:7"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Spring Boot 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:camel_spring_boot:3"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat build of OptaPlanner 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:optaplanner:::el6"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.vertx/vertx-core", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:quarkus:2"]}, {"vendor": "Red Hat", "product": "Red Hat Data Grid 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat Integration Camel K", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:integration:1"]}, {"vendor": "Red Hat", "product": "Red Hat Integration Camel Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:camel_quarkus:2"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "vert.x", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_data_grid:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "vert.x", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "vert.x", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "vert.x", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "vert.x", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "name": "RHSA-2024:1662", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1706", "name": "RHSA-2024:1706", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2088", "name": "RHSA-2024:2088", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2833", "name": "RHSA-2024:2833", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3527", "name": "RHSA-2024:3527", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3989", "name": "RHSA-2024:3989", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4884", "name": "RHSA-2024:4884", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1023", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", "name": "RHBZ#2260840", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/eclipse-vertx/vert.x/issues/5078"}, {"url": "https://github.com/eclipse-vertx/vert.x/pull/5080"}, {"url": "https://github.com/eclipse-vertx/vert.x/pull/5082"}], "datePublic": "2024-01-26T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-01-29T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-26T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-27T03:21:28.665Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-03T17:46:25.667630Z", "id": "CVE-2024-1023", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T15:37:55.153Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.343Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "name": "RHSA-2024:1662", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1706", "name": "RHSA-2024:1706", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2088", "name": "RHSA-2024:2088", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2833", "name": "RHSA-2024:2833", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3527", "name": "RHSA-2024:3527", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3989", "name": "RHSA-2024:3989", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4884", "name": "RHSA-2024:4884", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1023", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", "name": "RHBZ#2260840", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/eclipse-vertx/vert.x/issues/5078", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-vertx/vert.x/pull/5080", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-vertx/vert.x/pull/5082", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "name": "RHSA-2024:1662", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1706", "name": "RHSA-2024:1706", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2088", "name": "RHSA-2024:2088", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2833", "name": "RHSA-2024:2833", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3527", "name": "RHSA-2024:3527", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3989", "name": "RHSA-2024:3989", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4884", "name": "RHSA-2024:4884", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1023", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", "name": "RHBZ#2260840", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/eclipse-vertx/vert.x/issues/5078", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-vertx/vert.x/pull/5080", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-vertx/vert.x/pull/5082", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.343Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1023", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-03T17:46:25.667630Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T15:37:49.529Z"}}], "cna": {"title": "Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "4.4.5"}, {"status": "affected", "version": "4.4.6"}, {"status": "affected", "version": "4.5.0"}, {"status": "affected", "version": "4.5.1"}], "packageName": "vertx-core", "collectionURL": "https://mvnrepository.com/artifact/io.vertx", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:camel_quarkus:3"], "vendor": "Red Hat", "product": "CEQ 3.2", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:cryostat:2::el8"], "vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "versions": [{"status": "unaffected", "version": "2.4.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:2::el8"], "vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "versions": [{"status": "unaffected", "version": "2.4.0-4", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat-tech-preview/cryostat-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:2::el8"], "vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "versions": [{"status": "unaffected", "version": "2.4.0-4", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat-tech-preview/cryostat-reports-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:2::el8"], "vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "versions": [{"status": "unaffected", "version": "2.4.0-4", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat-tech-preview/cryostat-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:2::el8"], "vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "versions": [{"status": "unaffected", "version": "2.4.0-9", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat-tech-preview/cryostat-rhel8-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:2::el8"], "vendor": "Red Hat", "product": "Cryostat 2 on RHEL 8", "versions": [{"status": "unaffected", "version": "2.4.0-4", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat-tech-preview/jfr-datasource-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:migration_toolkit_applications:6.2::el8", "cpe:/a:redhat:migration_toolkit_applications:6.2::el9"], "vendor": "Red Hat", "product": "MTA-6.2-RHEL-9", "versions": [{"status": "unaffected", "version": "6.2.3-2", "lessThan": "*", "versionType": "rpm"}], "packageName": "mta/mta-windup-addon-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:amq_streams:2"], "vendor": "Red Hat", "product": "Red Hat AMQ Streams 2.7.0", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:apache_camel_spring_boot:4.4.1"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:quarkus:3.2::el8"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.2.11.Final", "versions": [{"status": "unaffected", "version": "4.4.8.redhat-00001", "lessThan": "*", "versionType": "rpm"}], "packageName": "io.vertx/vertx-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_registry:2.5"], "vendor": "Red Hat", "product": "RHINT Service Registry 2.5.11 GA", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:a_mq_clients:2"], "vendor": "Red Hat", "product": "A-MQ Clients 2", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1"], "vendor": "Red Hat", "product": "Migration Toolkit for Runtimes", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:serverless:1"], "vendor": "Red Hat", "product": "OpenShift Serverless", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:amq_broker:7"], "vendor": "Red Hat", "product": "Red Hat AMQ Broker 7", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:camel_spring_boot:3"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Spring Boot 3", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:optaplanner:::el6"], "vendor": "Red Hat", "product": "Red Hat build of OptaPlanner 8", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:quarkus:2"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus", "packageName": "io.vertx/vertx-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_data_grid:8"], "vendor": "Red Hat", "product": "Red Hat Data Grid 8", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat Fuse 7", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:integration:1"], "vendor": "Red Hat", "product": "Red Hat Integration Camel K", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:camel_quarkus:2"], "vendor": "Red Hat", "product": "Red Hat Integration Camel Quarkus", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_data_grid:7"], "vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jbosseapxp"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"], "vendor": "Red Hat", "product": "Red Hat Process Automation 7", "packageName": "vert.x", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-01-29T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-26T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-01-26T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "name": "RHSA-2024:1662", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1706", "name": "RHSA-2024:1706", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2088", "name": "RHSA-2024:2088", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2833", "name": "RHSA-2024:2833", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3527", "name": "RHSA-2024:3527", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3989", "name": "RHSA-2024:3989", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4884", "name": "RHSA-2024:4884", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1023", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", "name": "RHBZ#2260840", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/eclipse-vertx/vert.x/issues/5078"}, {"url": "https://github.com/eclipse-vertx/vert.x/pull/5080"}, {"url": "https://github.com/eclipse-vertx/vert.x/pull/5082"}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-25T02:45:39.432Z"}, "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime"}}, "cveMetadata": {"cveId": "CVE-2024-1023", "state": "PUBLISHED", "dateUpdated": "2024-11-25T02:45:39.432Z", "dateReserved": "2024-01-29T10:54:44.360Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-03-27T07:51:15.716Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak."}, {"lang": "es", "value": "Una vulnerabilidad en el kit de herramientas Eclipse Vert.x provoca una p\u00e9rdida de memoria debido al uso de estructuras de datos Netty FastThreadLocal. Espec\u00edficamente, cuando el cliente HTTP Vert.x establece conexiones con diferentes hosts, lo que desencadena la p\u00e9rdida de memoria. La filtraci\u00f3n se puede acelerar con un conocimiento \u00edntimo del tiempo de ejecuci\u00f3n, lo que permite a un atacante explotar esta vulnerabilidad. Por ejemplo, un servidor que acepte direcciones de Internet arbitrarias podr\u00eda servir como vector de ataque al conectarse a estas direcciones, acelerando as\u00ed la p\u00e9rdida de memoria."}], "id": "CVE-2024-1023", "lastModified": "2024-11-25T03:15:09.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-03-27T08:15:38.140", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1662"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1706"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2088"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2833"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:3527"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:3989"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4884"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-1023"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"}, {"source": "secalert@redhat.com", "url": "https://github.com/eclipse-vertx/vert.x/issues/5078"}, {"source": "secalert@redhat.com", "url": "https://github.com/eclipse-vertx/vert.x/pull/5080"}, {"source": "secalert@redhat.com", "url": "https://github.com/eclipse-vertx/vert.x/pull/5082"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:1662"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:1706"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:2088"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:2833"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:3527"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:3989"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:4884"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/security/cve/CVE-2024-1023"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/eclipse-vertx/vert.x/issues/5078"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/eclipse-vertx/vert.x/pull/5080"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/eclipse-vertx/vert.x/pull/5082"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1706", "cpe": "cpe:/a:redhat:camel_quarkus:3", "package": "vert.x", "product_name": "CEQ 3.2", "release_date": "2024-04-09T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-7", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-operator-bundle:2.4.0-4", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-4", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-rhel8:2.4.0-4", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-9", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2088", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-4", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:3527", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "vert.x", "product_name": "Red Hat AMQ Streams 2.7.0", "release_date": "2024-05-30T00:00:00Z"}, {"advisory": "RHSA-2024:4884", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.1", "package": "vert.x", "product_name": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "release_date": "2024-07-25T00:00:00Z"}, {"advisory": "RHSA-2024:1662", "cpe": "cpe:/a:redhat:quarkus:3.2::el8", "package": "io.vertx/vertx-core:4.4.8.redhat-00001", "product_name": "Red Hat build of Quarkus 3.2.11.Final", "release_date": "2024-04-03T00:00:00Z"}, {"advisory": "RHSA-2024:2833", "cpe": "cpe:/a:redhat:service_registry:2.5", "package": "vert.x", "product_name": "RHINT Service Registry 2.5.11 GA", "release_date": "2024-05-14T00:00:00Z"}], "bugzilla": {"description": "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", "id": "2260840", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-401", "details": ["A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.", "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-1023", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "vert.x", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Affected", "package_name": "vert.x", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "vert.x", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "vert.x", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Will not fix", "package_name": "vert.x", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "vert.x", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "vert.x", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "io.vertx/vertx-core", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "vert.x", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "vert.x", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "vert.x", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "package_name": "vert.x", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "vert.x", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "vert.x", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "vert.x", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "vert.x", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "vert.x", "product_name": "Red Hat Process Automation 7"}], "public_date": "2024-01-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-1023\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1023\nhttps://github.com/eclipse-vertx/vert.x/issues/5078\nhttps://github.com/eclipse-vertx/vert.x/pull/5080\nhttps://github.com/eclipse-vertx/vert.x/pull/5082"], "threat_severity": "Moderate"}