5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-4586

GHSA ID

GHSA-57m8-f3v5-hm5m

EPSS Score

0.28545%

CWE

CWE-295

Published

10/4/2023

Updated

11/10/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-4586

CVE-2023-4586:
Withdrawn Advisory: Netty-handler does not validate host names by default

Withdrawn Advisory

This advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's supported ecosystems. This link is maintained to preserve external references.

Original Description

Netty-handler has been found to no validate hostnames when using TLS in its default configuration. As a result netty-handler is vulnerable to man-in-the-middle attacks. Users would need to set the protocol to "HTTPS" in the SSLParameters of the SSLEngine to opt in to host name validation. A change in default behavior is expected in the 5.x release branch with no backport planned.

In the interim users are advised to enable host name validation in their configurations. See https://github.com/netty/netty/issues/8537 for details on the forthcoming change in default behavior.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-4586

GHSA ID

GHSA-57m8-f3v5-hm5m

EPSS Score

0.28545%

CWE

CWE-295

Published

10/4/2023

Updated

11/10/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.netty:netty-handler	maven	>= 4.1.0.Final, <= 4.1.99.Final

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Netty's default SSL/TLS configuration not enabling hostname validation. The critical point of failure is the initialization of the SSLEngine via SslContext.newEngine, which does not set the endpoint identification algorithm to 'HTTPS' in SSLParameters. This omission bypasses certificate hostname validation. The advisory explicitly states that users must manually configure SSLParameters with 'HTTPS' to mitigate this, confirming that the default engine creation logic is the root cause. The function SslContext.newEngine is directly responsible for SSLEngine initialization in Netty, making it the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* t** un**rlyin* vuln*r**ility only *on**rns R** **t's *ot Ro* *li*nt, w*i** is not in on* o* t** *it*u* **visory **t***s*'s [support** **osyst*ms](*ttps://*it*u*.*om/*it*u*/**visory-**t***

Reasoning

T** vuln*r**ility st*ms *rom N*tty's ****ult SSL/TLS *on*i*ur*tion not *n**lin* *ostn*m* v*li**tion. T** *riti**l point o* **ilur* is t** initi*liz*tion o* t** SSL*n*in* vi* Ssl*ont*xt.n*w*n*in*, w*i** *o*s not s*t t** *n*point i**nti*i**tion *l*orit

5.3

Basic Information

Concerned about an active attack path?

CVE-2023-4586: Withdrawn Advisory: Netty-handler does not validate host names by default

Withdrawn Advisory

Original Description

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-4586:
Withdrawn Advisory: Netty-handler does not validate host names by default

Vulnerability Intelligence
Miggo AI