CVE-2023-4586
MEDIUM5.3EPSS 0.24%Withdrawn Advisory: Netty-handler does not validate host names by default
Description
## Withdrawn Advisory This advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). This link is maintained to preserve external references. ## Original Description Netty-handler has been found to no validate hostnames when using TLS in its default configuration. As a result netty-handler is vulnerable to man-in-the-middle attacks. Users would need to set the protocol to "HTTPS" in the SSLParameters of the SSLEngine to opt in to host name validation. A change in default behavior is expected in the `5.x` release branch with no backport planned. In the interim users are advised to enable host name validation in their configurations. See https://github.com/netty/netty/issues/8537 for details on the forthcoming change in default behavior.
Affected packages (1)
- Maven/io.netty:netty-handler>= 4.1.0.Final, <= 4.1.99.Final
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-4586
- PATCHhttps://github.com/netty/netty
- WEBhttps://access.redhat.com/security/cve/CVE-2023-4586
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2235564
- WEBhttps://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#setEndpointIdentificationAlgorithm-java.lang.String-
- WEBhttps://github.com/netty/netty/issues/8537
- WEBhttps://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1042268