{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-34462", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-06T16:16:53.560Z", "datePublished": "2023-06-22T23:00:12.104Z", "dateUpdated": "2025-02-13T16:55:36.190Z"}, "containers": {"cna": {"title": "netty-handler SniHandler 16MB allocation", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845"}, {"name": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32"}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0001/"}, {"url": "https://www.debian.org/security/2023/dsa-5558"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": "< 4.1.94.Final", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-21T19:08:21.092Z"}, "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final."}], "source": {"advisory": "GHSA-6mjq-h674-j845", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T18:36:13.070529Z", "id": "CVE-2023-34462", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T18:36:18.892Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:07.000Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845"}, {"name": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32"}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0001/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5558", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845", "name": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32", "name": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0001/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5558", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:07.000Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-34462", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-16T18:36:13.070529Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T18:36:16.812Z"}}], "cna": {"title": "netty-handler SniHandler 16MB allocation", "source": {"advisory": "GHSA-6mjq-h674-j845", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": "< 4.1.94.Final"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845", "name": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32", "name": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0001/"}, {"url": "https://www.debian.org/security/2023/dsa-5558"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-21T19:08:21.092Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34462", "state": "PUBLISHED", "dateUpdated": "2025-02-13T16:55:36.190Z", "dateReserved": "2023-06-06T16:16:53.560Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-06-22T23:00:12.104Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "81839C38-65FD-4F9E-A654-29E4FB5D047C", "versionEndExcluding": "4.1.94", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final."}], "id": "CVE-2023-34462", "lastModified": "2024-11-21T08:07:18.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-22T23:15:09.573", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20230803-0001/"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}, {"source": "security-advisories@github.com", "url": "https://www.debian.org/security/2023/dsa-5558"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230803-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2023/dsa-5558"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7697", "cpe": "cpe:/a:redhat:amq_clients:2023_q4", "package": "netty", "product_name": "AMQ Clients", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7669", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:2.4.0-2", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2023-12-06T00:00:00Z"}, {"advisory": "RHSA-2023:7669", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-operator-bundle:2.4.0-2", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2023-12-06T00:00:00Z"}, {"advisory": "RHSA-2023:7669", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-reports-rhel8:2.4.0-2", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2023-12-06T00:00:00Z"}, {"advisory": "RHSA-2023:7669", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-rhel8:2.4.0-2", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2023-12-06T00:00:00Z"}, {"advisory": "RHSA-2023:7669", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/cryostat-rhel8-operator:2.4.0-3", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2023-12-06T00:00:00Z"}, {"advisory": "RHSA-2023:7669", "cpe": "cpe:/a:redhat:cryostat:2::el8", "package": "cryostat-tech-preview/jfr-datasource-rhel8:2.4.0-2", "product_name": "Cryostat 2 on RHEL 8", "release_date": "2023-12-06T00:00:00Z"}, {"advisory": "RHSA-2023:5488", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "netty", "product_name": "EAP 7.4.13", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5946", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "netty", "product_name": "Red Hat AMQ Broker 7", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5165", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.5.0", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2023:7700", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "io.netty/netty-handler:4.1.100.Final-redhat-00001", "product_name": "Red Hat build of Quarkus 2.13.9.Final", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:5396", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "netty", "product_name": "Red Hat Data Grid 8.4.4", "release_date": "2023-09-28T00:00:00Z"}, {"advisory": "RHSA-2023:5485", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-10-06T00:00:00Z"}, {"advisory": "RHSA-2023:5485", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-10-06T00:00:00Z"}, {"advisory": "RHSA-2023:5486", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-10-06T00:00:00Z"}, {"advisory": "RHSA-2023:5486", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-10-06T00:00:00Z"}, {"advisory": "RHSA-2023:5484", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-0:4.1.94-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5484", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-transport-native-epoll-0:4.1.94-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2024:0148", "cpe": "cpe:/a:redhat:camel_k:1.10.5", "package": "netty", "product_name": "RHINT Camel-K 1.10.5", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2023:5441", "cpe": "cpe:/a:redhat:camel_spring_boot:4.0.0", "package": "netty", "product_name": "RHINT Camel-Springboot 4.0.0", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:7653", "cpe": "cpe:/a:redhat:service_registry:2.5", "package": "netty", "product_name": "RHINT Service Registry 2.5.4 GA", "release_date": "2023-12-05T00:00:00Z"}], "bugzilla": {"description": "netty: SniHandler 16MB allocation leads to OOM", "id": "2216888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.", "A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service."], "mitigation": {"lang": "en:us", "value": "Configuration of SniHandler with an idle timeout will mitigate this issue."}, "name": "CVE-2023-34462", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "netty", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Affected", "package_name": "org.jboss.windup-windup-parent", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Affected", "package_name": "org.jboss.windup-windup-parent", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:amq_online:1", "fix_state": "Out of support scope", "package_name": "netty", "product_name": "Red Hat A-MQ Online"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "netty", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "netty", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "netty", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "netty", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "netty", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "netty", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "netty", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "netty", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "netty", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "netty", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "netty", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "netty", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "apache-sshd", "product_name": "Red Hat Virtualization 4"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "netty", "product_name": "streams for Apache Kafka"}], "public_date": "2023-06-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-34462\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-34462"], "threat_severity": "Moderate", "upstream_fix": "netty 4.1.94.Final"}