CVE-2024-22189 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-22189 at MITRE

Description

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
	SUSE
Base Score	7.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	None
Integrity Impact	None
Availability Impact	High
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1222461 [NEW]

SUSE Security Advisories:

openSUSE-SU-2024:0211-1, published Mon Jul 22 16:48:45 2024
openSUSE-SU-2024:0220-1, published Sat Aug 24 14:48:34 2024
openSUSE-SU-2024:0319-1, published Fri Sep 27 22:49:22 2024

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 15 SP5	`caddy >= 2.8.4-bp155.2.3.1` `caddy-bash-completion >= 2.8.4-bp155.2.3.1` `caddy-fish-completion >= 2.8.4-bp155.2.3.1` `caddy-zsh-completion >= 2.8.4-bp155.2.3.1`	Patchnames: openSUSE-2024-211
SUSE Package Hub 15 SP6	`caddy >= 2.8.4-bp156.3.3.1` `caddy-bash-completion >= 2.8.4-bp156.3.3.1` `caddy-fish-completion >= 2.8.4-bp156.3.3.1` `caddy-zsh-completion >= 2.8.4-bp156.3.3.1` `coredns >= 1.11.3-bp156.4.3.1` `coredns-extras >= 1.11.3-bp156.4.3.1`	Patchnames: openSUSE-2024-220 openSUSE-2024-319
openSUSE Leap 15.5	`caddy >= 2.8.4-bp155.2.3.1` `caddy-bash-completion >= 2.8.4-bp155.2.3.1` `caddy-fish-completion >= 2.8.4-bp155.2.3.1` `caddy-zsh-completion >= 2.8.4-bp155.2.3.1`	Patchnames: openSUSE-2024-211
openSUSE Leap 15.6	`caddy >= 2.8.4-bp156.3.3.1` `caddy-bash-completion >= 2.8.4-bp156.3.3.1` `caddy-fish-completion >= 2.8.4-bp156.3.3.1` `caddy-zsh-completion >= 2.8.4-bp156.3.3.1` `coredns >= 1.11.3-bp156.4.3.1` `coredns-extras >= 1.11.3-bp156.4.3.1`	Patchnames: openSUSE-2024-220 openSUSE-2024-319
openSUSE Tumbleweed	`caddy >= 2.8.4-1.1` `coredns >= 1.11.1-5.1` `coredns-extras >= 1.11.1-5.1` `golang-github-v2fly-v2ray-core >= 5.15.1-1.1` `kubo >= 0.27.0-2.1` `syncthing >= 1.27.6-1.1` `syncthing-relaysrv >= 1.27.6-1.1` `v2ray-core >= 5.15.1-1.1`	Patchnames: openSUSE-Tumbleweed-2024-13845 openSUSE-Tumbleweed-2024-13847 openSUSE-Tumbleweed-2024-13849 openSUSE-Tumbleweed-2024-13865 openSUSE-Tumbleweed-2024-14014

SUSE Timeline for this CVE

CVE page created: Thu Apr 4 18:10:46 2024
CVE page last modified: Sat Sep 28 00:50:21 2024