Vulnerability-Lookup

RHSA-2025:0542

Vulnerability from csaf_redhat - Published: 2025-01-21 17:55 - Updated: 2026-02-18 16:49

Summary

Red Hat Security Advisory: JBoss EAP XP 5.0 Update 1.0 release. See references for release notes.

Severity

Moderate

Notes

Topic: JBoss EAP XP 5.0 Update 1.0 release. See references for release notes.

Details: JBoss EAP XP 5.0 Update 1.0 GA release. See references for release notes. Security Fix(es): * io.vertx/vertx-grpc: Vertx gRPC server does not limit the maximum message size (CVE-2024-8391) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2024-8391

A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Vendor Fix For details on how to apply this update, refer to the Using JBoss EAP XP 5 document: https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_xp_5.0/index https://access.redhat.com/errata/RHSA-2025:0542

Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

URL

Category

	https://access.redhat.com/errata/RHSA-2025:0542	self
	https://access.redhat.com/security/updates/classi…	external
	https://docs.redhat.com/en/documentation/red_hat_…	external
	https://docs.redhat.com/en/documentation/red_hat_…	external
	https://docs.redhat.com/en/documentation/red_hat_…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2309758	external
	https://issues.redhat.com/browse/JBEAP-24664	external
	https://issues.redhat.com/browse/JBEAP-26398	external
	https://issues.redhat.com/browse/JBEAP-26715	external
	https://issues.redhat.com/browse/JBEAP-26776	external
	https://issues.redhat.com/browse/JBEAP-26798	external
	https://issues.redhat.com/browse/JBEAP-27331	external
	https://issues.redhat.com/browse/JBEAP-27358	external
	https://issues.redhat.com/browse/JBEAP-27540	external
	https://issues.redhat.com/browse/JBEAP-27763	external
	https://issues.redhat.com/browse/JBEAP-27773	external
	https://issues.redhat.com/browse/JBEAP-27817	external
	https://issues.redhat.com/browse/JBEAP-27942	external
	https://issues.redhat.com/browse/JBEAP-28074	external
	https://issues.redhat.com/browse/JBEAP-28075	external
	https://issues.redhat.com/browse/JBEAP-28092	external
	https://issues.redhat.com/browse/JBEAP-28146	external
	https://issues.redhat.com/browse/JBEAP-28331	external
	https://issues.redhat.com/browse/JBEAP-28355	external
	https://issues.redhat.com/browse/JBEAP-28357	external
	https://issues.redhat.com/browse/JBEAP-28379	external
	https://issues.redhat.com/browse/JBEAP-28400	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2024-8391	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2309758	external
	https://www.cve.org/CVERecord?id=CVE-2024-8391	external
	https://nvd.nist.gov/vuln/detail/CVE-2024-8391	external
	https://github.com/eclipse-vertx/vertx-grpc/issues/113	external
	https://gitlab.eclipse.org/security/cve-assigneme…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "JBoss EAP XP 5.0 Update 1.0 release. See references for release notes.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss EAP XP 5.0 Update 1.0 GA release. See references for release notes.\n\nSecurity Fix(es):\n\n* io.vertx/vertx-grpc: Vertx gRPC server does not limit the maximum message size (CVE-2024-8391)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:0542",
        "url": "https://access.redhat.com/errata/RHSA-2025:0542"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/red_hat_jboss_eap_xp_5.0_release_notes/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/red_hat_jboss_eap_xp_5.0_release_notes/index"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/jboss_eap_xp_5.0_upgrade_and_migration_guide/index"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_xp_5.0/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_xp_5.0/index"
      },
      {
        "category": "external",
        "summary": "2309758",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309758"
      },
      {
        "category": "external",
        "summary": "JBEAP-24664",
        "url": "https://issues.redhat.com/browse/JBEAP-24664"
      },
      {
        "category": "external",
        "summary": "JBEAP-26398",
        "url": "https://issues.redhat.com/browse/JBEAP-26398"
      },
      {
        "category": "external",
        "summary": "JBEAP-26715",
        "url": "https://issues.redhat.com/browse/JBEAP-26715"
      },
      {
        "category": "external",
        "summary": "JBEAP-26776",
        "url": "https://issues.redhat.com/browse/JBEAP-26776"
      },
      {
        "category": "external",
        "summary": "JBEAP-26798",
        "url": "https://issues.redhat.com/browse/JBEAP-26798"
      },
      {
        "category": "external",
        "summary": "JBEAP-27331",
        "url": "https://issues.redhat.com/browse/JBEAP-27331"
      },
      {
        "category": "external",
        "summary": "JBEAP-27358",
        "url": "https://issues.redhat.com/browse/JBEAP-27358"
      },
      {
        "category": "external",
        "summary": "JBEAP-27540",
        "url": "https://issues.redhat.com/browse/JBEAP-27540"
      },
      {
        "category": "external",
        "summary": "JBEAP-27763",
        "url": "https://issues.redhat.com/browse/JBEAP-27763"
      },
      {
        "category": "external",
        "summary": "JBEAP-27773",
        "url": "https://issues.redhat.com/browse/JBEAP-27773"
      },
      {
        "category": "external",
        "summary": "JBEAP-27817",
        "url": "https://issues.redhat.com/browse/JBEAP-27817"
      },
      {
        "category": "external",
        "summary": "JBEAP-27942",
        "url": "https://issues.redhat.com/browse/JBEAP-27942"
      },
      {
        "category": "external",
        "summary": "JBEAP-28074",
        "url": "https://issues.redhat.com/browse/JBEAP-28074"
      },
      {
        "category": "external",
        "summary": "JBEAP-28075",
        "url": "https://issues.redhat.com/browse/JBEAP-28075"
      },
      {
        "category": "external",
        "summary": "JBEAP-28092",
        "url": "https://issues.redhat.com/browse/JBEAP-28092"
      },
      {
        "category": "external",
        "summary": "JBEAP-28146",
        "url": "https://issues.redhat.com/browse/JBEAP-28146"
      },
      {
        "category": "external",
        "summary": "JBEAP-28331",
        "url": "https://issues.redhat.com/browse/JBEAP-28331"
      },
      {
        "category": "external",
        "summary": "JBEAP-28355",
        "url": "https://issues.redhat.com/browse/JBEAP-28355"
      },
      {
        "category": "external",
        "summary": "JBEAP-28357",
        "url": "https://issues.redhat.com/browse/JBEAP-28357"
      },
      {
        "category": "external",
        "summary": "JBEAP-28379",
        "url": "https://issues.redhat.com/browse/JBEAP-28379"
      },
      {
        "category": "external",
        "summary": "JBEAP-28400",
        "url": "https://issues.redhat.com/browse/JBEAP-28400"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0542.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss EAP XP 5.0 Update 1.0 release. See references for release notes.",
    "tracking": {
      "current_release_date": "2026-02-18T16:49:22+00:00",
      "generator": {
        "date": "2026-02-18T16:49:22+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2025:0542",
      "initial_release_date": "2025-01-21T17:55:49+00:00",
      "revision_history": [
        {
          "date": "2025-01-21T17:55:49+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-01-21T17:55:49+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-18T16:49:22+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP XP 5.0 Update 1.0",
                "product": {
                  "name": "Red Hat JBoss EAP XP 5.0 Update 1.0",
                  "product_id": "Red Hat JBoss EAP XP 5.0 Update 1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-8391",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-09-04T16:20:44.762419+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2309758"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP XP 5.0 Update 1.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8391"
        },
        {
          "category": "external",
          "summary": "RHBZ#2309758",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309758"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8391",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8391"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8391",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8391"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse-vertx/vertx-grpc/issues/113",
          "url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"
        }
      ],
      "release_date": "2024-09-04T16:15:09.253000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-01-21T17:55:49+00:00",
          "details": "For details on how to apply this update, refer to the Using JBoss EAP XP 5 document: https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_xp_5.0/index",
          "product_ids": [
            "Red Hat JBoss EAP XP 5.0 Update 1.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:0542"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss EAP XP 5.0 Update 1.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss EAP XP 5.0 Update 1.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size"
    }
  ]
}

CVE-2024-8391 (GCVE-0-2024-8391)

Vulnerability from cvelistv5 – Published: 2024-09-04 15:27 – Updated: 2024-09-04 17:40

Title

Eclipse Vert.x gRPC server does not limit the maximum message size

Summary

In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

eclipse

References

URL

Tags

	https://gitlab.eclipse.org/security/cve-assigneme…
	https://github.com/eclipse-vertx/vertx-grpc/issues/113

Impacted products

	Vendor	Product	Version
	Eclipse Foundation	Eclipse Vert.x	Affected: 4.3.0 , < 4.5.10 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:eclipse_foundation:vert.x:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "vert.x",
            "vendor": "eclipse_foundation",
            "versions": [
              {
                "lessThan": "4.5.10",
                "status": "affected",
                "version": "4.3.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8391",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-04T15:52:09.291594Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-04T15:58:44.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2/",
          "defaultStatus": "unaffected",
          "packageName": "io.vertx:vertx-grpc-server",
          "product": "Eclipse Vert.x",
          "repo": "https://github.com/eclipse-vertx/vertx-grpc",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThan": "4.5.10",
              "status": "affected",
              "version": "4.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003eIn Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis is fixed in the 4.5.10 version.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\n\n\n\n\nThis is fixed in the 4.5.10 version.\u00a0\n\n\n\n\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-04T17:40:20.318Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"
        },
        {
          "url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Eclipse Vert.x gRPC server does not limit the maximum message size",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2024-8391",
    "datePublished": "2024-09-04T15:27:58.478Z",
    "dateReserved": "2024-09-03T12:39:46.456Z",
    "dateUpdated": "2024-09-04T17:40:20.318Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2025:0542

CVE-2024-8391 (GCVE-0-2024-8391)

Tags

Sightings

Nomenclature