quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.
History

Tue, 29 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ansible Automation Platform
CPEs cpe:/a:redhat:ansible_automation_platform:2.5::el8
cpe:/a:redhat:ansible_automation_platform:2.5::el9
Vendors & Products Redhat ansible Automation Platform

Thu, 08 Aug 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat service Mesh
CPEs cpe:/a:redhat:service_mesh:2.6::el8
cpe:/a:redhat:service_mesh:2.6::el9
Vendors & Products Redhat service Mesh

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-04T14:25:43.663Z

Updated: 2024-08-23T19:29:41.592Z

Reserved: 2024-01-08T04:59:27.370Z

Link: CVE-2024-22189

cve-icon Vulnrichment

Updated: 2024-08-01T22:35:34.903Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-04T15:15:37.990

Modified: 2024-11-21T08:55:45.517

Link: CVE-2024-22189

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-04-04T00:00:00Z

Links: CVE-2024-22189 - Bugzilla