Netty Epoll Transport Denial-of-Service Vulnerability via RST on Half-Closed TCP Connections

A denial-of-service vulnerability has been identified in Netty's epoll transport, affecting versions 4.2.0.Final prior to 4.2.13.Final. The issue arises when TCP connections, with 'ALLOW_HALF_CLOSURE' enabled or in a half-closed state via the HTTP codec, receive a RST after being half-closed. This leads to stale channels that are not properly cleaned up, causing resource exhaustion. In some scenarios, this can also trigger a 100% CPU busy-loop in the event loop thread.

Impact

Exploitation of this vulnerability leads to resource exhaustion by creating stale channels that consume file descriptors, memory, or exceed connection limits. Additionally, in certain code paths, it causes a 100% CPU busy-loop on the event loop thread, disrupting other connections multiplexed on the same thread.

Remediation

Users are advised to upgrade to Netty version 4.2.13.Final or later. If an immediate upgrade is not possible, configure idle timeouts on connections to limit the duration of stale channels.