Описание
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.
A denial of service flaw has been discovered in the quic-go golang library. A misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations.
Отчет
The availability risk is limited to applications which includethe quic-go library. Host Red Hat systems are not at risk of availability degradation.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-service-mesh/grafana-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-must-gather-rhel9 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-operator-bundle | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-rhel8-operator | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel9 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/ratelimit-rhel8 | Affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9 | Not affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-cni-rhel9 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.
quic-go has Client Crash Due to Premature HANDSHAKE_DONE Frame
quic-go is an implementation of the QUIC protocol in Go. In versions p ...
quic-go: Panic occurs when queuing undecryptable packets after handshake completion
EPSS
5.3 Medium
CVSS3