Headline
Red Hat Security Advisory 2024-4591-03
Red Hat Security Advisory 2024-4591-03 - Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.16.0 on Red Hat Enterprise Linux 9. Issues addressed include denial of service, memory leak, and resource exhaustion vulnerabilities.
The following advisory data is extracted from:
https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4591.json
Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat’s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.
- Packet Storm Staff
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift Data Foundation 4.16.0 security, enhancement & bug fix update
Advisory ID: RHSA-2024:4591-03
Product: Red Hat OpenShift Data Foundation
Advisory URL: https://access.redhat.com/errata/RHSA-2024:4591
Issue date: 2024-07-17
Revision: 03
CVE Names: CVE-2023-43646
====================================================================
Summary:
Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.16.0 on Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description:
Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.
Security Fix(es):
get-func-name: ReDoS in chai module (CVE-2023-43646)
opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)
golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)
golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)
jose: resource exhaustion (CVE-2024-28176)
jose-go: improper handling of highly compressed data (CVE-2024-28180)
submariner-operator: RBAC permissions can allow for the spread of node compromises (CVE-2024-5042)
nodejs-ws: denial of service when handling a request with many HTTP headers (CVE-2024-37890)
node-tar: denial of service while parsing a tar file due to lack of folders depth validation (CVE-2024-28863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
These updated packages include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:
https://docs.redhat.com/en/documentation/red_hat_openshift_data_foundation/4.16/html/4.16_release_notes/index
All Red Hat OpenShift Data Foundation users are advised to upgrade to these packages that provide these bug fixes and enhancements.
Solution:
https://access.redhat.com/articles/11258
CVEs:
CVE-2023-43646
References:
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/cve/CVE-2023-43646
https://access.redhat.com/security/cve/CVE-2023-47108
https://access.redhat.com/security/cve/CVE-2024-1394
https://access.redhat.com/security/cve/CVE-2024-5042
https://access.redhat.com/security/cve/CVE-2024-24783
https://access.redhat.com/security/cve/CVE-2024-24785
https://access.redhat.com/security/cve/CVE-2024-24786
https://access.redhat.com/security/cve/CVE-2024-28176
https://access.redhat.com/security/cve/CVE-2024-28863
https://access.redhat.com/security/cve/CVE-2024-28180
https://access.redhat.com/security/cve/CVE-2024-37890
https://bugzilla.redhat.com/show_bug.cgi?id=2069759
https://bugzilla.redhat.com/show_bug.cgi?id=2078270
https://bugzilla.redhat.com/show_bug.cgi?id=2128142
https://bugzilla.redhat.com/show_bug.cgi?id=2132724
https://bugzilla.redhat.com/show_bug.cgi?id=2136413
https://bugzilla.redhat.com/show_bug.cgi?id=2139835
https://bugzilla.redhat.com/show_bug.cgi?id=2210040
https://bugzilla.redhat.com/show_bug.cgi?id=2214499
https://bugzilla.redhat.com/show_bug.cgi?id=2214948
https://bugzilla.redhat.com/show_bug.cgi?id=2215910
https://bugzilla.redhat.com/show_bug.cgi?id=2216213
https://bugzilla.redhat.com/show_bug.cgi?id=2216803
https://bugzilla.redhat.com/show_bug.cgi?id=2222146
https://bugzilla.redhat.com/show_bug.cgi?id=2231360
https://bugzilla.redhat.com/show_bug.cgi?id=2238308
https://bugzilla.redhat.com/show_bug.cgi?id=2239587
https://bugzilla.redhat.com/show_bug.cgi?id=2240951
https://bugzilla.redhat.com/show_bug.cgi?id=2241149
https://bugzilla.redhat.com/show_bug.cgi?id=2242832
https://bugzilla.redhat.com/show_bug.cgi?id=2243244
https://bugzilla.redhat.com/show_bug.cgi?id=2244353
https://bugzilla.redhat.com/show_bug.cgi?id=2246186
https://bugzilla.redhat.com/show_bug.cgi?id=2246364
https://bugzilla.redhat.com/show_bug.cgi?id=2246834
https://bugzilla.redhat.com/show_bug.cgi?id=2251022
https://bugzilla.redhat.com/show_bug.cgi?id=2251198
https://bugzilla.redhat.com/show_bug.cgi?id=2251308
https://bugzilla.redhat.com/show_bug.cgi?id=2252318
https://bugzilla.redhat.com/show_bug.cgi?id=2253043
https://bugzilla.redhat.com/show_bug.cgi?id=2253076
https://bugzilla.redhat.com/show_bug.cgi?id=2255998
https://bugzilla.redhat.com/show_bug.cgi?id=2256563
https://bugzilla.redhat.com/show_bug.cgi?id=2256899
https://bugzilla.redhat.com/show_bug.cgi?id=2257259
https://bugzilla.redhat.com/show_bug.cgi?id=2257949
https://bugzilla.redhat.com/show_bug.cgi?id=2258801
https://bugzilla.redhat.com/show_bug.cgi?id=2258861
https://bugzilla.redhat.com/show_bug.cgi?id=2258950
https://bugzilla.redhat.com/show_bug.cgi?id=2259195
https://bugzilla.redhat.com/show_bug.cgi?id=2259209
https://bugzilla.redhat.com/show_bug.cgi?id=2259616
https://bugzilla.redhat.com/show_bug.cgi?id=2259847
https://bugzilla.redhat.com/show_bug.cgi?id=2260325
https://bugzilla.redhat.com/show_bug.cgi?id=2260550
https://bugzilla.redhat.com/show_bug.cgi?id=2260757
https://bugzilla.redhat.com/show_bug.cgi?id=2261938
https://bugzilla.redhat.com/show_bug.cgi?id=2262134
https://bugzilla.redhat.com/show_bug.cgi?id=2262455
https://bugzilla.redhat.com/show_bug.cgi?id=2262461
https://bugzilla.redhat.com/show_bug.cgi?id=2262921
https://bugzilla.redhat.com/show_bug.cgi?id=2262943
https://bugzilla.redhat.com/show_bug.cgi?id=2262992
https://bugzilla.redhat.com/show_bug.cgi?id=2262997
https://bugzilla.redhat.com/show_bug.cgi?id=2263148
https://bugzilla.redhat.com/show_bug.cgi?id=2263468
https://bugzilla.redhat.com/show_bug.cgi?id=2263488
https://bugzilla.redhat.com/show_bug.cgi?id=2263818
https://bugzilla.redhat.com/show_bug.cgi?id=2264435
https://bugzilla.redhat.com/show_bug.cgi?id=2264480
https://bugzilla.redhat.com/show_bug.cgi?id=2264767
https://bugzilla.redhat.com/show_bug.cgi?id=2264900
https://bugzilla.redhat.com/show_bug.cgi?id=2265340
https://bugzilla.redhat.com/show_bug.cgi?id=2265492
https://bugzilla.redhat.com/show_bug.cgi?id=2265562
https://bugzilla.redhat.com/show_bug.cgi?id=2266316
https://bugzilla.redhat.com/show_bug.cgi?id=2266562
https://bugzilla.redhat.com/show_bug.cgi?id=2266621
https://bugzilla.redhat.com/show_bug.cgi?id=2266629
https://bugzilla.redhat.com/show_bug.cgi?id=2266845
https://bugzilla.redhat.com/show_bug.cgi?id=2266930
https://bugzilla.redhat.com/show_bug.cgi?id=2267067
https://bugzilla.redhat.com/show_bug.cgi?id=2267610
https://bugzilla.redhat.com/show_bug.cgi?id=2267907
https://bugzilla.redhat.com/show_bug.cgi?id=2267965
https://bugzilla.redhat.com/show_bug.cgi?id=2268019
https://bugzilla.redhat.com/show_bug.cgi?id=2268022
https://bugzilla.redhat.com/show_bug.cgi?id=2268046
https://bugzilla.redhat.com/show_bug.cgi?id=2268820
https://bugzilla.redhat.com/show_bug.cgi?id=2268854
https://bugzilla.redhat.com/show_bug.cgi?id=2268939
https://bugzilla.redhat.com/show_bug.cgi?id=2269319
https://bugzilla.redhat.com/show_bug.cgi?id=2269354
https://bugzilla.redhat.com/show_bug.cgi?id=2270064
https://bugzilla.redhat.com/show_bug.cgi?id=2270446
https://bugzilla.redhat.com/show_bug.cgi?id=2271593
https://bugzilla.redhat.com/show_bug.cgi?id=2271804
https://bugzilla.redhat.com/show_bug.cgi?id=2271921
https://bugzilla.redhat.com/show_bug.cgi?id=2272386
https://bugzilla.redhat.com/show_bug.cgi?id=2272469
https://bugzilla.redhat.com/show_bug.cgi?id=2272528
https://bugzilla.redhat.com/show_bug.cgi?id=2272644
https://bugzilla.redhat.com/show_bug.cgi?id=2272664
https://bugzilla.redhat.com/show_bug.cgi?id=2272666
https://bugzilla.redhat.com/show_bug.cgi?id=2272928
https://bugzilla.redhat.com/show_bug.cgi?id=2272932
https://bugzilla.redhat.com/show_bug.cgi?id=2272938
https://bugzilla.redhat.com/show_bug.cgi?id=2273305
https://bugzilla.redhat.com/show_bug.cgi?id=2273336
https://bugzilla.redhat.com/show_bug.cgi?id=2273386
https://bugzilla.redhat.com/show_bug.cgi?id=2273387
https://bugzilla.redhat.com/show_bug.cgi?id=2273398
https://bugzilla.redhat.com/show_bug.cgi?id=2273533
https://bugzilla.redhat.com/show_bug.cgi?id=2273553
https://bugzilla.redhat.com/show_bug.cgi?id=2273560
https://bugzilla.redhat.com/show_bug.cgi?id=2273605
https://bugzilla.redhat.com/show_bug.cgi?id=2273702
https://bugzilla.redhat.com/show_bug.cgi?id=2273705
https://bugzilla.redhat.com/show_bug.cgi?id=2274107
https://bugzilla.redhat.com/show_bug.cgi?id=2274175
https://bugzilla.redhat.com/show_bug.cgi?id=2274193
https://bugzilla.redhat.com/show_bug.cgi?id=2274324
https://bugzilla.redhat.com/show_bug.cgi?id=2274373
https://bugzilla.redhat.com/show_bug.cgi?id=2274381
https://bugzilla.redhat.com/show_bug.cgi?id=2274392
https://bugzilla.redhat.com/show_bug.cgi?id=2274476
https://bugzilla.redhat.com/show_bug.cgi?id=2274548
https://bugzilla.redhat.com/show_bug.cgi?id=2274728
https://bugzilla.redhat.com/show_bug.cgi?id=2274734
https://bugzilla.redhat.com/show_bug.cgi?id=2274750
https://bugzilla.redhat.com/show_bug.cgi?id=2274757
https://bugzilla.redhat.com/show_bug.cgi?id=2274765
https://bugzilla.redhat.com/show_bug.cgi?id=2275049
https://bugzilla.redhat.com/show_bug.cgi?id=2275181
https://bugzilla.redhat.com/show_bug.cgi?id=2275222
https://bugzilla.redhat.com/show_bug.cgi?id=2275254
https://bugzilla.redhat.com/show_bug.cgi?id=2275413
https://bugzilla.redhat.com/show_bug.cgi?id=2275456
https://bugzilla.redhat.com/show_bug.cgi?id=2275484
https://bugzilla.redhat.com/show_bug.cgi?id=2275886
https://bugzilla.redhat.com/show_bug.cgi?id=2275935
https://bugzilla.redhat.com/show_bug.cgi?id=2276028
https://bugzilla.redhat.com/show_bug.cgi?id=2276055
https://bugzilla.redhat.com/show_bug.cgi?id=2276056
https://bugzilla.redhat.com/show_bug.cgi?id=2276135
https://bugzilla.redhat.com/show_bug.cgi?id=2276222
https://bugzilla.redhat.com/show_bug.cgi?id=2276344
https://bugzilla.redhat.com/show_bug.cgi?id=2276353
https://bugzilla.redhat.com/show_bug.cgi?id=2276366
https://bugzilla.redhat.com/show_bug.cgi?id=2276413
https://bugzilla.redhat.com/show_bug.cgi?id=2276438
https://bugzilla.redhat.com/show_bug.cgi?id=2276591
https://bugzilla.redhat.com/show_bug.cgi?id=2276593
https://bugzilla.redhat.com/show_bug.cgi?id=2276694
https://bugzilla.redhat.com/show_bug.cgi?id=2276913
https://bugzilla.redhat.com/show_bug.cgi?id=2276941
https://bugzilla.redhat.com/show_bug.cgi?id=2277184
https://bugzilla.redhat.com/show_bug.cgi?id=2277186
https://bugzilla.redhat.com/show_bug.cgi?id=2277711
https://bugzilla.redhat.com/show_bug.cgi?id=2277766
https://bugzilla.redhat.com/show_bug.cgi?id=2277770
https://bugzilla.redhat.com/show_bug.cgi?id=2277773
https://bugzilla.redhat.com/show_bug.cgi?id=2277785
https://bugzilla.redhat.com/show_bug.cgi?id=2278120
https://bugzilla.redhat.com/show_bug.cgi?id=2278389
https://bugzilla.redhat.com/show_bug.cgi?id=2278593
https://bugzilla.redhat.com/show_bug.cgi?id=2278603
https://bugzilla.redhat.com/show_bug.cgi?id=2278606
https://bugzilla.redhat.com/show_bug.cgi?id=2278676
https://bugzilla.redhat.com/show_bug.cgi?id=2278681
https://bugzilla.redhat.com/show_bug.cgi?id=2278684
https://bugzilla.redhat.com/show_bug.cgi?id=2278799
https://bugzilla.redhat.com/show_bug.cgi?id=2278815
https://bugzilla.redhat.com/show_bug.cgi?id=2279742
https://bugzilla.redhat.com/show_bug.cgi?id=2279860
https://bugzilla.redhat.com/show_bug.cgi?id=2279928
https://bugzilla.redhat.com/show_bug.cgi?id=2280342
https://bugzilla.redhat.com/show_bug.cgi?id=2280378
https://bugzilla.redhat.com/show_bug.cgi?id=2280657
https://bugzilla.redhat.com/show_bug.cgi?id=2280813
https://bugzilla.redhat.com/show_bug.cgi?id=2280818
https://bugzilla.redhat.com/show_bug.cgi?id=2280820
https://bugzilla.redhat.com/show_bug.cgi?id=2280834
https://bugzilla.redhat.com/show_bug.cgi?id=2280921
https://bugzilla.redhat.com/show_bug.cgi?id=2280946
https://bugzilla.redhat.com/show_bug.cgi?id=2280953
https://bugzilla.redhat.com/show_bug.cgi?id=2281580
https://bugzilla.redhat.com/show_bug.cgi?id=2281722
https://bugzilla.redhat.com/show_bug.cgi?id=2281729
https://bugzilla.redhat.com/show_bug.cgi?id=2282243
https://bugzilla.redhat.com/show_bug.cgi?id=2282254
https://bugzilla.redhat.com/show_bug.cgi?id=2282284
https://bugzilla.redhat.com/show_bug.cgi?id=2282314
https://bugzilla.redhat.com/show_bug.cgi?id=2282543
https://bugzilla.redhat.com/show_bug.cgi?id=2282834
https://bugzilla.redhat.com/show_bug.cgi?id=2283024
https://bugzilla.redhat.com/show_bug.cgi?id=2283489
https://bugzilla.redhat.com/show_bug.cgi?id=2283621
https://bugzilla.redhat.com/show_bug.cgi?id=2283629
https://bugzilla.redhat.com/show_bug.cgi?id=2283651
https://bugzilla.redhat.com/show_bug.cgi?id=2283797
https://bugzilla.redhat.com/show_bug.cgi?id=2283820
https://bugzilla.redhat.com/show_bug.cgi?id=2283965
https://bugzilla.redhat.com/show_bug.cgi?id=2283981
https://bugzilla.redhat.com/show_bug.cgi?id=2284090
https://bugzilla.redhat.com/show_bug.cgi?id=2284430
https://bugzilla.redhat.com/show_bug.cgi?id=2284652
https://bugzilla.redhat.com/show_bug.cgi?id=2290677
https://bugzilla.redhat.com/show_bug.cgi?id=2290847
https://bugzilla.redhat.com/show_bug.cgi?id=2291132
https://bugzilla.redhat.com/show_bug.cgi?id=2291182
https://bugzilla.redhat.com/show_bug.cgi?id=2291255
https://bugzilla.redhat.com/show_bug.cgi?id=2291301
https://bugzilla.redhat.com/show_bug.cgi?id=2291305
https://bugzilla.redhat.com/show_bug.cgi?id=2291336
https://bugzilla.redhat.com/show_bug.cgi?id=2292114
https://bugzilla.redhat.com/show_bug.cgi?id=2292241
https://bugzilla.redhat.com/show_bug.cgi?id=2292777
https://bugzilla.redhat.com/show_bug.cgi?id=2293200
https://bugzilla.redhat.com/show_bug.cgi?id=2293621
https://bugzilla.redhat.com/show_bug.cgi?id=2293634
https://bugzilla.redhat.com/show_bug.cgi?id=2293881
https://bugzilla.redhat.com/show_bug.cgi?id=2294383
https://bugzilla.redhat.com/show_bug.cgi?id=2296991
Related news
Ubuntu Security Notice 7109-1 - Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. Ameya Darshan and Jakob Ackermann discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service.
Red Hat Security Advisory 2024-9485-03 - Control plane Operators for RHOSO 18.0.3. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.
Red Hat Security Advisory 2024-8425-03 - Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2024-8229-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements.
Ubuntu Security Notice 7061-1 - Hunter Wittenborn discovered that Go incorrectly handled the sanitization of environment variables. An attacker could possibly use this issue to run arbitrary commands. Sohom Datta discovered that Go did not properly validate backticks as Javascript string delimiters, and did not escape them as expected. An attacker could possibly use this issue to inject arbitrary Javascript code into the Go template.
Red Hat Security Advisory 2024-7164-03 - The Migration Toolkit for Containers 1.8.4 is now available. Issues addressed include denial of service and password leak vulnerabilities.
Red Hat Security Advisory 2024-6755-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.2 on Red Hat Enterprise Linux 9 from Red Hat Container Registry.
Red Hat Security Advisory 2024-6189-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-6187-03 - An update for gvisor-tap-vsock is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-5814-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2024-5547-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.1 on Red Hat Enterprise Linux 9 from Red Hat Container Registry. Issues addressed include a denial of service vulnerability.
Gentoo Linux Security Advisory 202408-7 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to information leakage or a denial of service. Versions greater than or equal to 1.22.3 are affected.
Red Hat Security Advisory 2024-4762-03 - An update for runc is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2024-4672-03 - An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2024-4502-03 - An update for skopeo is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2024-4520-03 - The Migration Toolkit for Containers 1.7.16 is now available. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2024-4520-03 - The Migration Toolkit for Containers 1.7.16 is now available. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2024-4455-03 - Red Hat OpenShift Virtualization release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements.
Ubuntu Security Notice 6886-1 - It was discovered that the Go net/http module did not properly handle the requests when request\'s headers exceed MaxHeaderBytes. An attacker could possibly use this issue to cause a panic resulting into a denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that the Go net/http module did not properly validate the subdomain match or exact match of the initial domain. An attacker could possibly use this issue to read sensitive information. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Gentoo Linux Security Advisory 202407-12 - Multiple vulnerabilities have been discovered in Podman, the worst of which could lead to privilege escalation. Versions greater than or equal to 4.9.4 are affected.
Red Hat Security Advisory 2024-4246-03 - An update for container-tools is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-3637-03 - Secondary Scheduler Operator for Red Hat OpenShift 1.3.0 for RHEL 9. Issues addressed include denial of service and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2024-3637-03 - Secondary Scheduler Operator for Red Hat OpenShift 1.3.0 for RHEL 9. Issues addressed include denial of service and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0045-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0045-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0045-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-4146-03 - An update for golang is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include denial of service and memory leak vulnerabilities.
Red Hat Security Advisory 2024-4144-03 - VolSync v0.9.2 general availability release images provide the following: enhancements, security fixes, and updated container images.
Red Hat Security Advisory 2024-4034-03 - OpenShift container images for the Red Hat Service Interconnect 1.5 release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-4028-03 - Red Hat OpenShift Serverless version 1.33.0 is now available.
Red Hat Security Advisory 2024-4028-03 - Red Hat OpenShift Serverless version 1.33.0 is now available.
Red Hat Security Advisory 2024-4023-03 - Red Hat openshift-serverless-clients kn 1.33.0 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2024-3968-03 - An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a resource exhaustion vulnerability.
### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof of concept ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); }); ``` ### Patches The vulnerability was fixed in ws@...
Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3827-03 - An update for buildah is now available for Red Hat Enterprise Linux 9. Issues addressed include memory exhaustion and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-3790-03 - OpenShift API for Data Protection 1.3.2 is now available. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2024-3790-03 - OpenShift API for Data Protection 1.3.2 is now available. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2024-3683-03 - Red Hat OpenShift Service Mesh Containers for 2.5.2.
Red Hat Security Advisory 2024-3349-03 - Red Hat OpenShift Container Platform release 4.12.58 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-2869-03 - Red Hat OpenShift Container Platform release 4.14.26 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-3346-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and memory exhaustion vulnerabilities.
A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.
Red Hat Security Advisory 2024-2669-03 - Red Hat OpenShift Container Platform release 4.15.12 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-2054-03 - Red Hat OpenShift Container Platform release 4.14.23 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-2639-03 - The Migration Toolkit for Containers 1.7.15 is now available.
Red Hat Security Advisory 2024-2088-03 - An update is now available for the Red Hat build of Cryostat 2 on RHEL 8. Issues addressed include denial of service, memory exhaustion, and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1897-03 - Red Hat OpenShift Container Platform release 4.14.22 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1859-03 - OpenShift API for Data Protection 1.3.1 is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1859-03 - OpenShift API for Data Protection 1.3.1 is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1812-03 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Issues addressed include denial of service and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1812-03 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Issues addressed include denial of service and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1795-03 - VolSync v0.9.1 general availability release images, which provide enhancements, security fixes, and updated container images.
Red Hat Security Advisory 2024-1640-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, denial of service, local file inclusion, memory leak, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1563-03 - Red Hat OpenShift Container Platform release 4.15.6 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2024-1563-03 - Red Hat OpenShift Container Platform release 4.15.6 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2024-1561-03 - Red Hat build of MicroShift release 4.15.6 is now available with updates to packages and images that fix several bugs.
Red Hat Security Advisory 2024-1559-03 - Red Hat OpenShift Container Platform release 4.15.6 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-1538-03 - An update for cnf-tests-container, dpdk-base-container, performance-addon-operator-must-gather NUMA-aware secondary scheduler, numaresources-operator is now available for Red Hat OpenShift Container Platform 4.12.
Red Hat Security Advisory 2024-1461-03 - Red Hat OpenShift Container Platform release 4.14.18 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-1458-03 - Red Hat OpenShift Container Platform release 4.14.18 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1456-03 - Red Hat OpenShift Container Platform release 4.13.38 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-1456-03 - Red Hat OpenShift Container Platform release 4.13.38 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-1502-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2024-1472-03 - An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a memory leak vulnerability.
## Description: During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside ## Steps To Reproduce: You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video ## Proof Of Concept: Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc....
Red Hat Security Advisory 2024-1462-03 - An update for golang is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.
Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads. An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.
Red Hat Security Advisory 2024-1328-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.3 General Availability release images, which fix bugs and update container images. Issues addressed include denial of service and traversal vulnerabilities.
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective. Note that as per [RFC 8725](https://www.rfc-editor.org/rfc/rfc8725.html#name-avoid-compression-of-encryp) compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of `jose` removed support for compressed payloads entirely and is therefore NOT affected by this advisory. ...
Red Hat Security Advisory 2024-0741-03 - Red Hat OpenShift Container Platform release 4.13.33 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2024-0489-03 - Red Hat OpenShift Container Platform release 4.12.48 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0288-03 - Red Hat OpenShift Container Platform release 4.13.30 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0204-03 - Red Hat OpenShift Container Platform release 4.14.9 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
### Summary The grpc Unary Server Interceptor [opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327) ``` // UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor { ``` out of the box adds labels - `net.peer.sock.addr` - `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. ### Details An attacker can easily flood the peer address and port for requests. ### PoC Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it. ### Impact In o...
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.
The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows: ```js const functionNameMatch = /\s*function(?:\s|\s*\/\*[^(?:*/)]+\*\/\s*)*([^\s(/]+)/; ``` This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: ```js '\t'.repeat(54773) + '\t/function/i' ``` Here is a simple PoC code to demonstrate the issue: ```js const protocolre = /\sfunction(?:\s|\s/*[^(?:*\/)]+*/\s*)*([^\(\/]+)/; const startTime = Date.now(); const maliciousInput = '\t'.repeat(54773) + '\t/function/i' protocolre.test(maliciousInput); const endTime = Date.now(); console.log("process time: ", endTime - startTime, "ms"); ```
get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit `f934b228b` which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.