CVE-2022-29189: 
Linux Debian vulnerability analysis and mitigation

Pion DTLS, a Go implementation of Datagram Transport Layer Security, was found to have a vulnerability (CVE-2022-29189) prior to version 2.1.4. The vulnerability was discovered and reported by the Mattermost security team, where a buffer used for inbound network traffic had no upper limit during the handshake process (GitHub Advisory).

The vulnerability stems from an unbounded buffer that was used for inbound network traffic during the DTLS handshake process. The system would continue to buffer all network traffic from remote users until either the handshake completed or timed out, without any size restrictions. The issue was addressed in version 2.1.4 by implementing a 2-megabyte limit on the fragment buffer (GitHub Commit). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

An attacker could exploit this vulnerability to cause excessive memory usage in the target system by sending large amounts of data during the DTLS handshake process. This could potentially lead to resource exhaustion and affect system availability (GitHub Advisory).

The vulnerability has been patched in Pion DTLS version 2.1.4. Users are strongly advised to upgrade to this version as there are no alternative workarounds available (GitHub Advisory).