CVE-2024-1300 - Vulnerability Details

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00098.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`4.3.4`	affected	≤ 4.5.2

Red Hat CEQ 3.2 unaffected —

Red Hat

Cryostat 2 on RHEL 8

affected

Version	Status	Constraints
`2.4.0-7`	unaffected	< *

Red Hat

Cryostat 2 on RHEL 8

affected

Version	Status	Constraints
`2.4.0-4`	unaffected	< *

Red Hat

Cryostat 2 on RHEL 8

affected

Version	Status	Constraints
`2.4.0-4`	unaffected	< *

Red Hat

Cryostat 2 on RHEL 8

affected

Version	Status	Constraints
`2.4.0-4`	unaffected	< *

Red Hat

Cryostat 2 on RHEL 8

affected

Version	Status	Constraints
`2.4.0-9`	unaffected	< *

Red Hat

Cryostat 2 on RHEL 8

affected

Version	Status	Constraints
`2.4.0-4`	unaffected	< *

Red Hat

Migration Toolkit for Runtimes 1 on RHEL 8

affected

Version	Status	Constraints
`1.2-18`	unaffected	< *

Red Hat

Migration Toolkit for Runtimes 1 on RHEL 8

affected

Version	Status	Constraints
`1.2-11`	unaffected	< *

Red Hat

Migration Toolkit for Runtimes 1 on RHEL 8

affected

Version	Status	Constraints
`1.2-12`	unaffected	< *

Red Hat

Migration Toolkit for Runtimes 1 on RHEL 8

affected

Version	Status	Constraints
`1.2-10`	unaffected	< *

Red Hat

MTA-6.2-RHEL-9

affected

Version	Status	Constraints
`6.2.3-2`	unaffected	< *

Red Hat Red Hat AMQ Streams 2.7.0 unaffected —

Red Hat Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2 unaffected —

Red Hat

Red Hat build of Quarkus 3.2.11.Final

affected

Version	Status	Constraints
`4.4.8.redhat-00001`	unaffected	< *

Red Hat RHINT Service Registry 2.5.11 GA unaffected —

Red Hat A-MQ Clients 2 unaffected —

Red Hat OpenShift Serverless unaffected —

Red Hat Red Hat AMQ Broker 7 unaffected —

Red Hat Red Hat build of Apache Camel for Spring Boot 3 affected —

Red Hat Red Hat Build of Keycloak affected —

Red Hat Red Hat build of OptaPlanner 8 affected —

Red Hat Red Hat build of Quarkus affected —

Red Hat Red Hat Data Grid 8 unaffected —

Red Hat Red Hat Fuse 7 unaffected —

Red Hat Red Hat Integration Camel K 1 affected —

Red Hat Red Hat Integration Camel Quarkus 2 affected —

Red Hat Red Hat JBoss Data Grid 7 affected —

Red Hat Red Hat JBoss Enterprise Application Platform 7 unaffected —

Red Hat Red Hat JBoss Enterprise Application Platform 8 unaffected —

Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack unaffected —

Red Hat Red Hat Process Automation 7 affected —

No data.

Package	CPE	Advisory	Released Date
CEQ 3.2
vertx-core	cpe:/a:redhat:camel_quarkus:3	RHSA-2024:1706	2024-04-09T00:00:00Z
Cryostat 2 on RHEL 8
cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-7	cpe:/a:redhat:cryostat:2::el8	RHSA-2024:2088	2024-04-29T00:00:00Z
cryostat-tech-preview/cryostat-operator-bundle:2.4.0-4	cpe:/a:redhat:cryostat:2::el8	RHSA-2024:2088	2024-04-29T00:00:00Z
cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-4	cpe:/a:redhat:cryostat:2::el8	RHSA-2024:2088	2024-04-29T00:00:00Z
cryostat-tech-preview/cryostat-rhel8:2.4.0-4	cpe:/a:redhat:cryostat:2::el8	RHSA-2024:2088	2024-04-29T00:00:00Z
cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-9	cpe:/a:redhat:cryostat:2::el8	RHSA-2024:2088	2024-04-29T00:00:00Z
cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-4	cpe:/a:redhat:cryostat:2::el8	RHSA-2024:2088	2024-04-29T00:00:00Z
Migration Toolkit for Runtimes 1 on RHEL 8
mtr/mtr-operator-bundle:1.2-18	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:1923	2024-04-18T00:00:00Z
mtr/mtr-rhel8-operator:1.2-11	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:1923	2024-04-18T00:00:00Z
mtr/mtr-web-container-rhel8:1.2-12	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:1923	2024-04-18T00:00:00Z
mtr/mtr-web-executor-container-rhel8:1.2-10	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2024:1923	2024-04-18T00:00:00Z
MTA-6.2-RHEL-9
mta/mta-windup-addon-rhel9:6.2.3-2	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2024:3989	2024-06-20T00:00:00Z
Red Hat AMQ Streams 2.7.0
vertx-core	cpe:/a:redhat:amq_streams:2	RHSA-2024:3527	2024-05-30T00:00:00Z
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
vertx-core	cpe:/a:redhat:apache_camel_spring_boot:4.4::el6	RHSA-2024:4884	2024-07-25T00:00:00Z
Red Hat build of Quarkus 3.2.11.Final
io.vertx/vertx-core:4.4.8.redhat-00001	cpe:/a:redhat:quarkus:3.2::el8	RHSA-2024:1662	2024-04-03T00:00:00Z
RHINT Service Registry 2.5.11 GA
vertx-core	cpe:/a:redhat:service_registry:2.5	RHSA-2024:2833	2024-05-14T00:00:00Z

No data.

Project Subscriptions

Vendors	Products
Redhat Subscribe	A Mq Clients Subscribe Amq Broker Subscribe Amq Streams Subscribe Apache Camel Spring Boot Subscribe Build Keycloak Subscribe Camel Quarkus Subscribe Camel Spring Boot Subscribe Cryostat Subscribe Integration Subscribe Jboss Data Grid Subscribe Jboss Enterprise Application Platform Subscribe Jboss Enterprise Bpms Platform Subscribe Jboss Fuse Subscribe Jbosseapxp Subscribe Migration Toolkit Applications Subscribe Migration Toolkit Runtimes Subscribe Optaplanner Subscribe Quarkus Subscribe Serverless Subscribe Service Registry Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2024-1174	A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Github GHSA	GHSA-9ph3-v2vh-3qx7	Eclipse Vert.x vulnerable to a memory leak in TCP servers

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:1662
https://access.redhat.com/errata/RHSA-2024:1706
https://access.redhat.com/errata/RHSA-2024:1923
https://access.redhat.com/errata/RHSA-2024:2088
https://access.redhat.com/errata/RHSA-2024:2833
https://access.redhat.com/errata/RHSA-2024:3527
https://access.redhat.com/errata/RHSA-2024:3989
https://access.redhat.com/errata/RHSA-2024:4884
https://access.redhat.com/security/cve/CVE-2024-1300
https://bugzilla.redhat.com/show_bug.cgi?id=2263139
https://nvd.nist.gov/vuln/detail/CVE-2024-1300
https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.
https://www.cve.org/CVERecord?id=CVE-2024-1300

History

Wed, 25 Jun 2025 02:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:apache_camel_spring_boot:4.4.1~~

Tue, 24 Jun 2025 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:apache_camel_spring_boot:4.4::el6

Mon, 25 Nov 2024 05:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Fri, 22 Nov 2024 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1392 CWE-401

Thu, 19 Sep 2024 02:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Sep 2024 08:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:build_keycloak:22~~	cpe:/a:redhat:build_keycloak:

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-04-02T07:33:05.215Z

Updated: 2025-11-07T10:49:15.550Z

Reserved: 2024-02-07T07:11:11.156Z

Link: CVE-2024-1300

Vulnrichment

Updated: 2024-08-01T18:33:25.527Z

NVD

Status : Awaiting Analysis

Published: 2024-04-02T08:15:53.993

Modified: 2024-11-25T03:15:10.053

Link: CVE-2024-1300

Redhat

Severity : Moderate

Publid Date: 2024-02-06T00:00:00Z

Links: CVE-2024-1300 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object