#VU88189 Memory leak in Vert.x - CVE-2024-1023

Cybersecurity Help s.r.o.

Published: 2024-04-05

Vulnerability identifier: #VU88189

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-1023

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Vert.x
Web applications / Modules and components for CMS

Vendor: Eclipse

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when using Netty FastThreadLocal data structures. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Vert.x: 4.4.5 - 4.4.6, 4.5.0 - 4.5.1

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2260840
https://github.com/eclipse-vertx/vert.x/issues/5078
https://github.com/eclipse-vertx/vert.x/pull/5080
https://github.com/eclipse-vertx/vert.x/pull/5082

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Memory leak in IBM Event Streams

Multiple vulnerabilities in IBM Event Endpoint Management

Multiple vulnerabilities in Red Hat Migration Toolkit for Applications 6.2

Multiple vulnerabilities in AMQ Streams 2.7

Multiple vulnerabilities in Red Hat Integration Camel Extensions for Quarkus 3.2

Multiple vulnerabilities in Red Hat Integration - Service Registry 2.5

Multiple vulnerabilities in IBM Asset Data Dictionary Component

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Multiple vulnerabilities in Red Hat build of Cryostat 2 on RHEL 8