Netty QUIC Codec Hash Collision Denial-of-Service Vulnerability

A hash collision vulnerability has been identified in the Netty QUIC codec, specifically in the hash map that manages connections. This vulnerability allows remote attackers to create a significant CPU load on the server, leading to a Hash Denial-of-Service (DoS) attack. The issue arises by initiating connections with colliding Source Connection IDs (SCIDs). The vulnerability is present in versions prior to 0.0.71.Final.

Impact

Exploitation of this vulnerability causes a notable slowdown on the server, with some libraries experiencing up to a 300-fold decrease in performance under load, as the server's CPU is consumed managing colliding connection IDs.

Reproduction

The vulnerability can be reproduced by sending QUIC connection requests with Source Connection IDs that are intentionally crafted to collide under the server's hash function. This can be done using a custom client that generates colliding SCIDs and initiates connections to the server.

Remediation

Users can upgrade to Netty QUIC Codec version 0.0.71.Final or later, where this vulnerability has been fixed.