Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-0772-01

Red Hat Security Advisory 2023-0772-01 - Red Hat build of MicroShift is Red Hat’s light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments. This advisory contains the RPM packages for Red Hat build of MicroShift 4.12.4.

Packet Storm
#vulnerability#linux#red_hat#nodejs#kubernetes#auth#rpm#jira

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Container Platform 4.12.4 security update
Advisory ID: RHSA-2023:0772-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0772
Issue date: 2023-02-20
CVE Names: CVE-2022-3162
====================================================================

  1. Summary:

Red Hat build of MicroShift release 4.12.4 is now available with updates to
packages and images that fix several bugs.

This release includes a security update for the Red Hat build of MicroShift
4.12.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.12 - noarch, x86_64

  1. Description:

Red Hat build of MicroShift is Red Hat’s light-weight Kubernetes
orchestration solution designed for edge device deployments and is built
from the edge capabilities of Red Hat OpenShift. MicroShift is an
application that is deployed on top of Red Hat Enterprise Linux devices at
the edge, providing an efficient way to operate single-node clusters in
these low-resource environments.

This advisory contains the RPM packages for Red Hat build of MicroShift
4.12.4. See the following advisory for the container images for this
release:

https://access.redhat.com/errata/RHSA-2023:0769

Security Fix(es):

  • kubernetes: Unauthorized read of Custom Resources (CVE-2022-3162)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section. All the bug fixes may not be
documented in this advisory. See the following release notes documentation
for details about these changes:

https://access.redhat.com/documentation/en-us/microshift/4.12/html/release_notes/index

All Red Hat build of MicroShift 4.12 users are advised to use these updated
packages and images when they are available in the RPM repository.

  1. Solution:

MicroShift 4.12.4 - RPMs

For MicroShift 4.12, read the following documentation, which will be
updated shortly for this release, for important instructions on how to
install the latest RPMs and fully apply this asynchronous errata update:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.12/html/release_notes/index

  1. Bugs fixed (https://bugzilla.redhat.com/):

2136673 - CVE-2022-3162 kubernetes: Unauthorized read of Custom Resources

  1. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-6908 - service configured with a nodeport can’t be reached until after restart of ovnkube-master

  1. Package List:

Red Hat OpenShift Container Platform 4.12:

Source:
microshift-4.12.4-202302151633.p0.gb9fe8ac.assembly.4.12.4.el8.src.rpm

noarch:
microshift-release-info-4.12.4-202302151633.p0.gb9fe8ac.assembly.4.12.4.el8.noarch.rpm
microshift-selinux-4.12.4-202302151633.p0.gb9fe8ac.assembly.4.12.4.el8.noarch.rpm

x86_64:
microshift-4.12.4-202302151633.p0.gb9fe8ac.assembly.4.12.4.el8.x86_64.rpm
microshift-networking-4.12.4-202302151633.p0.gb9fe8ac.assembly.4.12.4.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-3162
https://access.redhat.com/security/updates/classification/#moderate

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY/QQRtzjgjWX9erEAQil4g/8Ctp6xfZH+kkUe21eQL2T/Sq+ISc0iEfP
imodLD2QPMLsxUrZsupgSFE18qwnFENuCogevdAKQS2wFfc496344VFZ2z1Ur7m0
oiBwz4tNqePNlKlQSaf3Dxv4YxaZlzloMWA3+CF+qd2OP+1O38IxyQtTxhKr3V4l
OWDPB+mRmWEmhGu3DHSdKldsmdllsgfZVh6q2exEx9JuHtgDcROL+NGzX2lrAQgS
JJcPooYTWNKUx2IGqnsNht+enLnnewRp9Y4axYoq01Udl9RUaTXZCgeCoSIe6c87
iixKbL98kthNw9LsmocNqO1jcmulsGkuVpFNR14gChHwRzCCXe8pqj6iT0YfB+Jx
ykZlq2ino0qzMqnNeFnTowRhRSzZl+gusemLnPMyPXcVLhWd2+PWefqk43dKxSB3
/qr9SY1v9pm1XbSwiOrwVh64mkmkSigg88FFpgrhqafz/jTjJQ0JHOBC42Eg2q0i
D9o/uNXP6zyA6BfCeZQRs95M5mZHiIrbK3sb3fKFjGGH/rfHNTveFPOCajCJE9Dh
r72n5Xr/YA9GZvkYqcFv0WSXdVFDODPTdSktMwgXfaBNk5J1N6vP8xTz/lC0hnq/
If2joycbJ6AorEi4oiA6BRVJvvpFQb7iYm2cdduIXOd2dWQ+fZ0xWmggspt812bX
Wfs1GMTlNIk=UrNr
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Red Hat Security Advisory 2023-3644-01

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

RHSA-2023:3644: Red Hat Security Advisory: Red Hat OpenShift Service Mesh Containers for 2.4.0

Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Red Hat Security Advisory 2023-2041-01

Red Hat Security Advisory 2023-2041-01 - Migration Toolkit for Applications 6.1.0 Images. Issues addressed include denial of service, privilege escalation, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:2041: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...

RHSA-2023:1428: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.8 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...

CVE-2022-3162: CVE-2022-3162: Unauthorized read of Custom Resources · Issue #113756 · kubernetes/kubernetes

Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.

RHSA-2023:0772: Red Hat Security Advisory: OpenShift Container Platform 4.12.4 security update

Red Hat build of MicroShift release 4.12.4 is now available with updates to packages and images that fix several bugs. This release includes a security update for the Red Hat build of MicroShift 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3162: A flaw was found in kubernetes. Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different kind in the same API group they are not authorized to read...

Red Hat Security Advisory 2023-0693-01

Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

RHSA-2023:0693: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw a...

Red Hat Security Advisory 2022-7399-01

Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7398: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 packages and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: go-yaml: Denial of Service in go-yaml * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-2995: cri-o: incorrect handlin...

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution