CVE-2023-34462: 
Java vulnerability analysis and mitigation

Netty's SniHandler class, discovered in June 2023 (CVE-2023-34462), contains a vulnerability that affects versions prior to 4.1.94.Final. The vulnerability exists in the TLS handshake process where the SniHandler can allocate up to 16MB of heap memory for each channel. This handler waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record (GitHub Advisory).

The vulnerability occurs during the TLS handshake process where the SniHandler allocates a ByteBuf using the value defined in the ClientHello record. While normally the packet should be smaller than the handshake packet, there are no checks implemented, allowing a crafted packet to make the SslClientHelloHandler allocate a 16MB ByteBuf without failing the decode method. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

If a server using Netty's SniHandler has no idle timeout handler configured, a remote attacker could send a client hello packet that forces the server to buffer up to 16MB of data per connection. This could lead to an OutOfMemoryError and result in a Denial of Service (DoS) attack (Debian Security).

The vulnerability has been fixed in Netty version 4.1.94.Final. The fix includes adding a new constructor that allows limiting the maximum length of a ClientHello message. Organizations using affected versions should upgrade to the patched version. If immediate upgrading is not possible, implementing idle timeout handlers can help mitigate the risk (GitHub Advisory).