Headline
Red Hat Security Advisory 2023-3229-01
Red Hat Security Advisory 2023-3229-01 - An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.8. Red Hat Product Security has rated this update as having a security impact of Important. Issues addressed include a bypass vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: openshift-gitops-kam security update
Advisory ID: RHSA-2023:3229-01
Product: Red Hat OpenShift GitOps
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3229
Issue date: 2023-05-18
CVE Names: CVE-2022-1996
=====================================================================
- Summary:
An update for openshift-gitops-kam is now available for Red Hat OpenShift
GitOps 1.8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat OpenShift GitOps 1.8 - aarch64, ppc64le, s390x, x86_64
- Description:
Security Fix(es):
- go-restful: Authorization Bypass Through User-Controlled Key
(CVE-2022-1996)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2094982 - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key
- Package List:
Red Hat OpenShift GitOps 1.8:
Source:
openshift-gitops-kam-1.8.3-6.el8.src.rpm
aarch64:
openshift-gitops-kam-1.8.3-6.el8.aarch64.rpm
ppc64le:
openshift-gitops-kam-1.8.3-6.el8.ppc64le.rpm
s390x:
openshift-gitops-kam-1.8.3-6.el8.s390x.rpm
x86_64:
openshift-gitops-kam-1.8.3-6.el8.x86_64.rpm
openshift-gitops-kam-redistributable-1.8.3-6.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-1996
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZGa7PNzjgjWX9erEAQheAxAAi8ht7PJT/ROGK79wue83Kensu6/1iOJJ
hyhvbJCSyphlyGUl9PBjTrpCU3/TjUuftPFFUkl3r+98ru8R/ev2WDbV2afd32B6
r3dyT41+qGhHxbwWP5il5amK6zyNfQJu1KV70GeGALID32712NjltGlESQOIC8NY
4/UdNRz1TdQywkhKsuuSJD5O0PWrwuRY+3tmBf8+/RRcVGYVZN9Q4e9EwBPcXrh3
eHID1oq/K8sWayzFiQ9C1Mi6NcfnHJrcn9lJvlAvZWVUE4L8zn5uXLGqtAW2dNss
+Ru9GJIfO5h6caueVAmg3iVCkef0VI8uDGQASsbi1w+wwAa+6f9witZgyK/PLI02
2Z4I6F2m2y+j0iYsOhxtO2G3KqGANpHGvt8DZiTdafIqlzZEFS+TqE2eLHY3cHGK
/IgsXXUNhHqP1he82AR6XWDLHyBEHNIJ7pYTdprr+bjuxhDXSLY7oxcsLp0m/5kK
A9NLGXCHcsofhWYGqryTG4pPqEcO2cphgIa5HfMrNdpucGYwx7ZnZKCvrnfVHH0S
cdDilsWy+W9QN/T5hzGAU3EsGxNIVVYBseSO6XN56Ohy8LmwRUmZpOczGJkwzbMJ
DesMBYtNiAlkPgknmbQY1pF4d++qZkXm5eQX1lGX5PwKNyqTn9BP9tv1SLCe5EGo
6b9Cdmg6Wes=
=rsKr
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-3557-01 - OpenShift GitOps KAM OpenShift GitOps Kubernetes Application Manager CLI tool. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-0814-01 - The Cryostat 2 on RHEL 8 container images have been updated to fix "CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key" and to address the following security advisory: RHSA-2023:0625 Users of Cryostat 2 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. Issues addressed include bypass, code execution, and integer overflow vulnerabilities.
Updated Cryostat 2 on RHEL 8 container images are now availableThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1996: A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users.
Red Hat Security Advisory 2022-8609-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.9.7 images. Issues addressed include a bypass vulnerability.
Red Hat OpenShift Virtualization release 4.9.7 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key
Red Hat Security Advisory 2022-6351-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.10.5 images: RHEL-8-CNV-4.10. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2022-6042-01 - Red Hat OpenShift Serverless Client kn 1.24.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.24.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. Issues addressed include bypass and denial of service vulnerabilities.
Release of OpenShift Serverless 1.24.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * C...
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.