CVE-2023-34462: Denial of Service vulnerability in netty-handler (Maven)

What is CVE-2023-34462 About?

This vulnerability in the `SniHandler` allows a remote attacker to trigger a Denial of Service (DoS) by causing excessive memory allocation during the TLS handshake. By crafting a specific client hello packet, an attacker can force the server to allocate up to 16MB of heap memory per connection without an idle timeout. This can lead to an `OutOfMemoryError`, making the vulnerability easy to exploit for resource exhaustion.

Affected Software

io.netty:netty-handler <4.1.94.Final

Technical Details

The SniHandler in the affected system is designed to configure an SslHandler based on the server name indicated in the ClientHello record during a TLS handshake. A flaw exists where the SniHandler (specifically the SslClientHelloHandler) allocates a ByteBuf to process the ClientHello record. While this buffer is typically small, the code lacks sufficient checks on the size of the incoming packet. An attacker can craft a ClientHello packet that, despite being larger than expected, does not cause the decode method's 'in' buffer to fail and allows the handler to exit its processing loop without an exception. Crucially, this crafted packet can force the allocation of a 16MB ByteBuf on the heap. When there is no idle timeout configured for the handler or the channel, an attacker can repeatedly connect and send these crafted packets, leading to a significant accumulation of 16MB heap allocations per connection. This rapid resource consumption can quickly deplete available memory, resulting in an OutOfMemoryError and a Denial of Service (DoS) for the application.

What is the Impact of CVE-2023-34462?

Successful exploitation may allow attackers to trigger a Denial of Service (DoS) by exhausting system memory resources, leading to application crashes or unresponsiveness.

What is the Exploitability of CVE-2023-34462?

Exploitation is of low complexity and can be performed remotely. The primary prerequisite is that the target server is using the SniHandler and, crucially, does not have an idle timeout handler configured. No authentication is required, as the vulnerability is triggered during the initial TLS handshake phase before any application-level authentication. No specific privileges are needed on the target system. The attack involves sending specially crafted ClientHello packets. The risk factor is high if the vulnerable handler is implemented without proper timeout mechanisms, as it allows for simple resource exhaustion attacks from any remote attacker. An attacker only needs network connectivity to the vulnerable server's TLS port.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2023-34462?

A Fix by Resolved Security Exists!

Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

The patch introduces a configurable maximum length for the ClientHello message and enforces it during SNI processing, throwing an exception and aborting the handshake if this limit is exceeded. This mitigates CVE-2023-34462 by preventing attackers from sending excessively large ClientHello messages that could lead to resource exhaustion (DoS) or potential heap buffer overflows.

Available Upgrade Options

io.netty:netty-handler
- <4.1.94.Final → Upgrade to 4.1.94.Final

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-34462?

Similar Vulnerabilities: CVE-2022-21972 , CVE-2020-35496 , CVE-2019-10022 , CVE-2018-12536 , CVE-2017-15707

CVE-2023-34462 Denial of Service vulnerability in netty-handler (Maven)