{
  "threat_severity" : "Moderate",
  "public_date" : "2024-04-04T00:00:00Z",
  "bugzilla" : {
    "description" : "quic-go: memory exhaustion attack against QUIC's connection ID mechanism",
    "id" : "2273513",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2273513"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.", "A flaw was found in quic-go. This issue may allow an attacker to trigger a denial of service by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame, but the attacker can prevent the receiver from sending out the vast majority of these RETIRE_CONNECTION_ID frames by selectively acknowledging received packets and collapsing the peers congestion window and by manipulating the peer's RTT estimate." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9",
    "release_date" : "2024-06-26T00:00:00Z",
    "advisory" : "RHSA-2024:4144",
    "cpe" : "cpe:/a:redhat:acm:2.10::el9",
    "package" : "rhacm2/volsync-operator-bundle:v0.9.2-9"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9",
    "release_date" : "2024-06-26T00:00:00Z",
    "advisory" : "RHSA-2024:4144",
    "cpe" : "cpe:/a:redhat:acm:2.10::el9",
    "package" : "rhacm2/volsync-rhel9:v0.9.2-8"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2024-10-28T00:00:00Z",
    "advisory" : "RHSA-2024:8534",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "receptor-0:1.4.9-2.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "release_date" : "2024-10-28T00:00:00Z",
    "advisory" : "RHSA-2024:8534",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
    "package" : "receptor-0:1.4.9-2.el9ap"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2024-06-27T00:00:00Z",
    "advisory" : "RHSA-2024:0041",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el9",
    "package" : "openshift4/ose-coredns-rhel9:v4.16.0-202406131906.p0.g04d84f7.assembly.stream.el9"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/grafana-rhel8:2.6.0-7"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/istio-cni-rhel8:2.6.0-21"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/istio-must-gather-rhel8:2.6.0-7"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/istio-rhel8-operator:2.6.0-27"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/kiali-ossmc-rhel8:1.73.10-3"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/kiali-rhel8:1.73.9-2"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/kiali-rhel8-operator:1.73.10-2"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/pilot-rhel8:2.6.0-19"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 8",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el8",
    "package" : "openshift-service-mesh/ratelimit-rhel8:2.6.0-8"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.6 for RHEL 9",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5094",
    "cpe" : "cpe:/a:redhat:service_mesh:2.6::el9",
    "package" : "openshift-service-mesh/proxyv2-rhel9:2.6.0-18"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.23",
    "release_date" : "2025-09-15T00:00:00Z",
    "advisory" : "RHSA-2025:15847",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.23::el9",
    "package" : "devspaces/traefik-rhel9:sha256:15a4a74016cdb94aece0bc651edd221b72a9202e5fd414d30ae969707cb5b4c9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/lighthouse-agent-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-22189\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22189\nhttps://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a\nhttps://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478\nhttps://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management" ],
  "name" : "CVE-2024-22189",
  "csaw" : false
}