{
  "threat_severity" : "Moderate",
  "public_date" : "2024-01-10T00:00:00Z",
  "bugzilla" : {
    "description" : "quic-go: memory exhaustion attack against QUIC's path validation mechanism",
    "id" : "2257815",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2257815"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4.", "A memory exhaustion vulnerability was found in Quic-GO, where a malicious client exploits the path validation mechanism to induce the server into accumulating an unbounded queue of PATH_RESPONSE frames, depleting its memory. The attacker controls the victim's packet send rate by overwhelming the server with numerous packets containing PATH_CHALLENGE frames. Through selective acknowledgments of received packets and manipulation of peer's Round-Trip Time (RTT) estimates, the attacker induces congestion control mechanisms to reduce the server's send rate significantly. Consequently, the victim server is compelled to store an increasing number of queued PATH_RESPONSE frames, resulting in memory exhaustion." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "release_date" : "2024-02-19T00:00:00Z",
    "advisory" : "RHSA-2024:0855",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
    "package" : "receptor-0:1.4.4-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "release_date" : "2024-02-19T00:00:00Z",
    "advisory" : "RHSA-2024:0855",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
    "package" : "receptor-0:1.4.4-1.el9ap"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift API for Data Protection",
    "fix_state" : "Not affected",
    "package_name" : "oadp/oadp-velero-plugin-for-vsm-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_api_data_protection:1"
  }, {
    "product_name" : "OpenShift API for Data Protection",
    "fix_state" : "Not affected",
    "package_name" : "oadp/oadp-volume-snapshot-mover-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_api_data_protection:1"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-service-mesh/istio-cni-rhel8",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/lighthouse-agent-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/volsync-mover-rclone-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/volsync-mover-syncthing-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/volsync-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-coredns-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Fix deferred",
    "package_name" : "devspaces/traefik-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-49295\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-49295\nhttps://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf\nhttps://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/" ],
  "name" : "CVE-2023-49295",
  "csaw" : false
}