Moderate severityNVD Advisory· Published Jul 31, 2014· Updated May 6, 2026
CVE-2014-3488
CVE-2014-3488
Description
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-handlerMaven | < 3.9.2 | 3.9.2 |
Affected products
15cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*range: <=3.9.1.1
- cpe:2.3:a:netty:netty:3.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:3.9.1:*:*:*:*:*:*:*
Patches
12fa9400a59d0Fix a bug where SslHandler does not handle SSLv2Hello correctly
1 file changed · +15 −5
src/main/java/org/jboss/netty/handler/ssl/SslHandler.java+15 −5 modified@@ -1268,8 +1268,18 @@ private ChannelBuffer unwrap( // always contain at least one record in decode(). Therefore, if SSLEngine.unwrap() returns // BUFFER_OVERFLOW, it is always resolved by retrying after emptying the application buffer. for (;;) { + final int outAppBufSize = engine.getSession().getApplicationBufferSize(); + final ByteBuffer outAppBuf; + if (nioOutAppBuf.capacity() < outAppBufSize) { + // SSLEngine wants a buffer larger than what the pool can provide. + // Allocate a temporary heap buffer. + outAppBuf = ByteBuffer.allocate(outAppBufSize); + } else { + outAppBuf = nioOutAppBuf; + } + try { - result = engine.unwrap(nioInNetBuf, nioOutAppBuf); + result = engine.unwrap(nioInNetBuf, outAppBuf); switch (result.getStatus()) { case CLOSED: // notify about the CLOSED state of the SSLEngine. See #137 @@ -1283,21 +1293,21 @@ private ChannelBuffer unwrap( break; } finally { - nioOutAppBuf.flip(); + outAppBuf.flip(); // Sync the offset of the inbound buffer. nettyInNetBuf.readerIndex( nettyInNetBufStartOffset + nioInNetBuf.position() - nioInNetBufStartOffset); // Copy the unwrapped data into a smaller buffer. - if (nioOutAppBuf.hasRemaining()) { + if (outAppBuf.hasRemaining()) { if (nettyOutAppBuf == null) { ChannelBufferFactory factory = ctx.getChannel().getConfig().getBufferFactory(); nettyOutAppBuf = factory.getBuffer(initialNettyOutAppBufCapacity); } - nettyOutAppBuf.writeBytes(nioOutAppBuf); + nettyOutAppBuf.writeBytes(outAppBuf); } - nioOutAppBuf.clear(); + outAppBuf.clear(); } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/netty/netty/issues/2562nvdExploitPatchWEB
- netty.io/news/2014/06/11/3-9-2-Final.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-9959-6p3m-wxpcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-3488ghsaADVISORY
- secunia.com/advisories/59196nvdWEB
- github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994nvdWEB
- lists.debian.org/debian-lts-announce/2020/02/msg00018.htmlnvdWEB
- snyk.io/vuln/SNYK-JAVA-ORGJBOSSNETTY-31630ghsaWEB
News mentions
0No linked articles in our index yet.