CVE-2024-1023 — Eclipse Vert.x memory leak

Description

A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.

How to fix CVE-2024-1023

To remediate CVE-2024-1023, upgrade the affected package to a fixed version below.

—upgrade to 4.5.2 or later

Is CVE-2024-1023 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.5.0, < 4.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (16)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-1023
PATCHgithub.com/eclipse-vertx/vert.x
WEBaccess.redhat.com/errata/RHSA-2024:1662
WEBaccess.redhat.com/errata/RHSA-2024:1706
WEBaccess.redhat.com