Bug 2297332 (CVE-2024-37151)

Summary: CVE-2024-37151 suricata: packet reassembly failure, which can lead to policy bypass
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: sgrubb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in suricata where a mishandling of multiple fragmented packets using the same IP ID value can lead to failure of the packet reassembly, possibly leading to a bypass of configured policies.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-12 13:44:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2297342, 2297343    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-11 15:20:28 UTC 
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. 
Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
Comment 1 Steve Grubb 2024-07-12 13:44:21 UTC 
Updates are in testing. closing this.