CVE-2024-47522 Overview
CVE-2024-47522 is a denial-of-service vulnerability in Suricata, the open-source Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring engine maintained by the Open Information Security Foundation (OISF). Versions prior to 7.0.7 abort with a panic when processing TLS or QUIC traffic that contains an invalid Application-Layer Protocol Negotiation (ALPN) value, provided that JA4 fingerprint matching or logging is enabled. An unauthenticated remote attacker can crash the sensor by sending a single crafted handshake. The flaw is tracked under [CWE-617: Reachable Assertion].
Critical Impact
Remote attackers can disable a Suricata sensor without authentication by sending crafted TLS or QUIC traffic, removing network detection and prevention coverage.
Affected Products
- OISF Suricata versions prior to 7.0.7
- Deployments with JA4 matching enabled in rules
- Deployments with JA4 logging enabled in EVE output
Discovery Timeline
- 2024-10-16 - CVE-2024-47522 published to NVD
- 2025-09-25 - Last updated in NVD database
Technical Details for CVE-2024-47522
Vulnerability Analysis
The vulnerability resides in Suricata's JA4 fingerprinting code path. JA4 is a fingerprinting method that extracts fields from TLS and QUIC ClientHello messages, including the list of advertised ALPN values. When the engine parses a handshake containing an ALPN entry that violates Suricata's input assumptions, the JA4 logic triggers an unrecoverable runtime panic instead of handling the malformed input gracefully.
The result is a full process abort. Because Suricata is typically deployed inline (IPS) or as a passive sensor (IDS), the crash terminates packet inspection and removes detection coverage until the process is restarted. Attackers do not need authentication, prior access, or user interaction — any TLS or QUIC flow that traverses the sensor and reaches the JA4 parser is sufficient.
OISF resolved the issue in Suricata 7.0.7. Operators that cannot upgrade immediately can disable JA4 functionality as a temporary workaround.
Root Cause
The root cause is improper input validation in the JA4 ALPN handler, which reaches an assertion or unrecoverable error condition when the ALPN field contains values outside the expected character or length constraints. Rather than discarding the flow or logging a parsing error, the code path aborts the process [CWE-617].
Attack Vector
Exploitation requires only network access to a path monitored by a vulnerable Suricata sensor. An attacker initiates a TLS or QUIC connection with a ClientHello containing a malformed ALPN extension. When the sensor parses the handshake with JA4 enabled, the engine panics and exits. Repeated handshakes can prevent the sensor from staying online after restart, producing a sustained denial of service against the monitoring or prevention capability.
No verified public exploit code is available for this issue. See the OISF GitHub Security Advisory GHSA-w5xv-6586-jpm7 and OISF Redmine issue 7267 for vendor-confirmed technical details.
Detection Methods for CVE-2024-47522
Indicators of Compromise
- Unexpected Suricata process termination or panic messages in suricata.log referencing JA4 or ALPN parsing
- Gaps in eve.json output coinciding with TLS or QUIC handshake events from a single source
- Repeated systemd or service-manager restarts of the suricata unit shortly after inbound TLS/QUIC traffic
Detection Strategies
- Monitor Suricata stderr and journal output for Rust panic stack traces that reference JA4 modules
- Correlate sensor downtime with packet captures of preceding TLS ClientHello or QUIC Initial packets containing unusual ALPN values
- Compare deployed Suricata versions against 7.0.7 using configuration management or asset inventory data
Monitoring Recommendations
- Alert on any abnormal exit of the Suricata process, treating sensor unavailability as a security event
- Track JA4 configuration state (ja4.enabled in suricata.yaml) across the fleet to identify exposed sensors
- Watch for source IPs generating malformed handshakes immediately before sensor crashes for attribution
How to Mitigate CVE-2024-47522
Immediate Actions Required
- Upgrade all Suricata instances to version 7.0.7 or later, which contains the fix from OISF
- If immediate upgrade is not possible, disable JA4 matching and logging in suricata.yaml and reload the engine
- Inventory all IDS/IPS sensors to confirm patch status and JA4 configuration
Patch Information
OISF released Suricata 7.0.7 to remediate this issue. The fix and additional context are documented in the OISF GitHub Security Advisory GHSA-w5xv-6586-jpm7 and the OISF Redmine tracker entry 7267. Operators should validate the upgrade in a staging environment before deploying to production sensors that handle high-volume traffic.
Workarounds
- Disable JA4 fingerprint logging by setting the JA4 option to no under the TLS app-layer configuration in suricata.yaml
- Remove or comment out any rules using the ja4.hash keyword until the engine is patched
- Restart Suricata after configuration changes and confirm via suricata --build-info that JA4 paths are inactive
# suricata.yaml — disable JA4 as a temporary workaround
app-layer:
protocols:
tls:
enabled: yes
ja4-fingerprints: no
quic:
enabled: yes
ja4-fingerprints: no
# Reload Suricata to apply the configuration
sudo systemctl restart suricata
# Verify version is 7.0.7 or later after upgrade
suricata --build-info | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
