CVE-2023-34462: netty-handler SniHandler 16MB allocation

Published Jun 20, 2023
·
Updated

Summary The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap.

Details The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record.

Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler

1/ allocate a 16MB ByteBuf 2/ not fail decode method in buffer 3/ get out of the loop without an exception

The combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection.

Impact If the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS.

Other sources

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.

MITRE

Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel during the TLS handshake the SniHandler class. By sending a specially crafted client hello packet, a remote authenticated attacker could exploit this vulnerability to cause a OutOfMemoryError and so result in a denial of service condition.

IBM

Affected Software

10 affected componentsFixes available
maven/io.netty:netty-handler<4.1.94.Final
4.1.94.Final
debian/netty
1:4.1.48-4+deb11u21:4.1.48-7+deb12u11:4.1.48-10
IBM Data Virtualization on Cloud Pak for Data<=3.0
IBM Watson Query on Cloud Pak for Data<=2.2
IBM Watson Query on Cloud Pak for Data<=2.1
IBM Watson Query on Cloud Pak for Data<=2.0
IBM Data Virtualization on Cloud Pak for Data<=1.8
IBM Data Virtualization on Cloud Pak for Data<=1.7
Netty Netty<4.1.94
redhat/netty<4.1.94.
4.1.94.

Remediation

Patch Available

https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32

Event History

Jun 20, 2023
Advisory Published
via GitHub·04:33 PM
Jun 22, 2023
CVE Published
via MITRE·11:00 PM
Data Sourced
via MITRE·11:00 PM
DescriptionSeverityWeakness
Jun 23, 2023
Data Sourced
via Red Hat·04:18 AM
DescriptionSeverityAffected Software
Data Sourced
03:06 PM
SeverityAffected Software
Sep 9, 2024
Data Sourced
via Launchpad·08:20 PM
Description
Sep 13, 2024
Data Sourced
via Ubuntu·08:19 PM
RemedyDescriptionSeverityAffected Software
Aug 15, 2025
Data Sourced
via IBM·03:29 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2023-34462?

CVE-2023-34462 refers to a vulnerability in the Netty framework that allows the SniHandler to allocate up to 16MB of heap for each channel during the TLS handshake.

2

How does CVE-2023-34462 impact Netty?

CVE-2023-34462 can result in excessive memory usage by the SniHandler during the TLS handshake, potentially leading to resource exhaustion and denial of service.

3

What is the severity of CVE-2023-34462?

CVE-2023-34462 has a severity score of 6.5, which is considered medium.

4

Which versions of Netty are affected by CVE-2023-34462?

Netty versions up to and including 4.1.94 are affected by CVE-2023-34462.

5

How can CVE-2023-34462 be fixed?

To fix CVE-2023-34462, upgrade to version 4.1.95 or later of the Netty framework.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203