CVE-2024-47522: 
Suricata vulnerability analysis and mitigation

Suricata, a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine, was found to contain a vulnerability (CVE-2024-47522) prior to version 7.0.7. The vulnerability was discovered where invalid ALPN (Application-Layer Protocol Negotiation) in TLS/QUIC traffic could lead to Suricata aborting with a panic when JA4 matching/logging is enabled (NVD, GitHub Advisory).

The vulnerability stems from improper handling of non-alphanumeric characters in ALPN, which can trigger a panic in the JA4 fingerprinting functionality. The issue occurs specifically in the ALPN extension value processing, where the source slice length does not match the destination slice length, causing a panic in the Rust implementation at src/ja4.rs:265:16. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH), with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and high impact on availability (GitHub Advisory).

When exploited, this vulnerability can cause Suricata to abort operations with a panic, effectively creating a denial of service condition. This is particularly impactful for systems relying on Suricata for network security monitoring and intrusion detection, as it could leave networks vulnerable during the outage (GitHub Advisory).

The vulnerability has been patched in Suricata version 7.0.7. For users unable to update immediately, there are two workaround options: For TLS, JA4 can be disabled in the tls section of the app-layer configuration by setting ja4-fingerprints to false. For QUIC, since it doesn't have a JA4 feature flag, it's recommended to disable QUIC entirely until Suricata can be updated by setting 'app-layer.quic.enabled: false' (GitHub Advisory).