CVE-2023-4586

Name of the Vulnerable Software and Affected Versions Hot Rod client versions (affected versions not specified) Netty versions (affected versions not specified)

Description A security issue occurs as the Hot Rod client and Netty do not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. This issue can allow a remote attacker to execute a man-in-the-middle attack.

Recommendations For Hot Rod client, enable hostname validation when using TLS to prevent man-in-the-middle attacks. For Netty, users are advised to enable host name validation in their configurations by setting the protocol to "HTTPS" in the SSLParameters of the SSLEngine. A change in default behavior is expected in the 5.x release branch with no backport planned.