Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2024-8974-03

Red Hat Security Advisory 2024-8974-03 - Red Hat Advanced Cluster Management for Kubernetes 2.12.0 GA release images are now available, which contain security and bug fixes.

Packet Storm
#vulnerability#red_hat#js#kubernetes#auth#jira#ssl

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8974.json

Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat’s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

  • Packet Storm Staff

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Advanced Cluster Management 2.12.0 security and bug fixes
Advisory ID: RHSA-2024:8974-03
Product: Red Hat ACM
Advisory URL: https://access.redhat.com/errata/RHSA-2024:8974
Issue date: 2024-11-11
Revision: 03
CVE Names: CVE-2023-37788
====================================================================

Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.12.0 GA release images are now available, which contain security and bug fixes.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.12.0 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/release_notes/

Security fix(es):

CVE-2024-48949 Missing Validation in Elliptic’s EDDSA Signature Verification

Jira issues fixed:

  • ACM-11757: Managed clusters flip between Available and Degraded
  • ACM-12215: Provisioning OpenShift on OpenStack fails. The bootstrap node is failing to get the ignition image from Glance. Failing with tls: failed to verify certificate: x509: certificate signed by unknown authority.
  • ACM-12372: multicluster-observability-operator pod restarts with fatal error concurrent map writes
  • ACM-12738: Endpointmetrics does not reconcile CMO Config changes
  • ACM-13066: upgrade from a 2.10 that failed to update MCE to a 2.11 was possible
  • ACM-13149: cluster-monitoring-config retains old Hub for metrics forwarding after transfer to new Hub
  • ACM-14172: Observability pods should not inherit the defaultNodeSelector from the scheduler

Solution:

https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/install/installing

CVEs:

CVE-2023-37788

References:

https://access.redhat.com/security/updates/classification/#important
https://issues.redhat.com/browse/ACM-11757
https://issues.redhat.com/browse/ACM-12215
https://issues.redhat.com/browse/ACM-12372
https://issues.redhat.com/browse/ACM-12738
https://issues.redhat.com/browse/ACM-13066
https://issues.redhat.com/browse/ACM-13149
https://issues.redhat.com/browse/ACM-14172

Related news

Red Hat Security Advisory 2024-8546-03

Red Hat Security Advisory 2024-8546-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.5 General Availability release images, which fix bugs and update container images.

Red Hat Security Advisory 2024-8533-03

Red Hat Security Advisory 2024-8533-03 - Multicluster Engine for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images.

Red Hat Security Advisory 2024-8351-03

Red Hat Security Advisory 2024-8351-03 - An update for the grafana:7.3.6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Security Advisory 2024-7994-03

Red Hat Security Advisory 2024-7994-03 - Red Hat Advanced Cluster Management for Kubernetes 2.11.3 General Availability release images, bug fixes, and updated container images.

GHSA-434g-2637-qmqr: Elliptic's verify function omits validation

The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proof(s) is within the bounds of the order n of the base point of the elliptic curve, leading to signature malleability. Namely, the `verify` function in `lib/elliptic/eddsa/index.js` omits `sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()` validation. This vulnerability could have a security-relevant impact if an application relies on the uniqueness of a signature.

Red Hat Security Advisory 2024-3479-03

Red Hat Security Advisory 2024-3479-03 - Updated container images are now available for director Operator for Red Hat OpenStack Platform 16.2 for RHEL 8.4. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5407-01

Red Hat Security Advisory 2023-5407-01 - OpenShift GitOps KAM OpenShift GitOps Kubernetes Application Manager CLI tool. Issues addressed include a denial of service vulnerability.

RHSA-2023:5407: Red Hat Security Advisory: openshift-gitops-kam security update

An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37788: A flaw was found in goproxy, which is vulnerable to a denial of service caused by improper input validation. This flaw allows a remote attacker can cause the goproxy server to crash by sending a specially crafted HTTP request to the HTTPS page, replacing the path "/" with an asterisk "*".

GHSA-4r8x-2p26-976p: goproxy Denial of Service vulnerability

goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution