Headline
Red Hat Security Advisory 2023-6233-01
Red Hat Security Advisory 2023-6233-01 - Red Hat OpenShift Container Platform low-latency extras release 4.12, which provides an update for cnf-tests-container, performance-addon-operator-must-gather-rhel8-container, NUMA-aware secondary scheduler and numaresources-operator, is now available. Issues addressed include a denial of service vulnerability.
The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6233.jsonRed Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis: Important: Red Hat OpenShift Enterprise security updateAdvisory ID: RHSA-2023:6233-01Product: Red Hat OpenShift EnterpriseAdvisory URL: https://access.redhat.com/errata/RHSA-2023:6233Issue date: 2023-11-01Revision: 01CVE Names: CVE-2023-39325====================================================================Summary: Red Hat OpenShift Container Platform low-latency extras release 4.12, which provides an update for cnf-tests-container, performance-addon-operator-must-gather-rhel8-container, NUMA-aware secondary scheduler and numaresources-operator, is now available.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.12. See the following advisory for the container images for this release:https://access.redhat.com/errata/RHSA-2023:6126Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.All OpenShift Container Platform users are advised to upgrade to these updated packages and images.Solution:https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.htmlCVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003
Related news
Red Hat Security Advisory 2024-3352-03 - An update for etcd is now available for Red Hat OpenStack Platform 16.2. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0269-03 - An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0777-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, information leakage, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0273-03 - Red Hat OpenShift Virtualization release 4.12.9 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-7607-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs.
Red Hat Security Advisory 2023-7521-01 - Red Hat OpenShift Virtualization release 4.13.6 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6841-01 - An update is now available for Red Hat OpenShift Container Platform 4.12.
Red Hat Security Advisory 2023-6251-01 - Red Hat OpenShift Virtualization release 4.11.7 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6126-01 - Red Hat OpenShift Container Platform release 4.12.41 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-6161-01 - The Migration Toolkit for Containers 1.7.14 is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6156-01 - The components for Red Hat OpenShift support for Windows Containers 8.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-6144-01 - An update for custom-metrics-autoscaler-adapter-container, custom-metrics-autoscaler-admission-webhooks-container, custom-metrics-autoscaler-container, custom-metrics-autoscaler-operator-bundle-container, and custom-metrics-autoscaler-operator-container is now available for the Custom Metric Autoscaler operator for Red Hat OpenShift. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6079-01 - Red Hat Integration Camel for Spring Boot 3.20.3 release and security update is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6059-01 - Red Hat OpenShift Pipelines Client tkn for 1.12.1 has been released. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6048-01 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features and bug fixes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5973-01 - Red Hat AMQ Streams 2.5.1 is now available from the Red Hat Customer Portal. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5970-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 17.1.1. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5964-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5946-01 - Red Hat AMQ Broker 7.11.3 is now available from the Red Hat Customer Portal. Issues addressed include denial of service and open redirection vulnerabilities.
Red Hat Security Advisory 2023-5867-01 - An update for grafana is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5864-01 - An update for grafana is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5809-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Red Hat Security Advisory 2023-5784-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.5 serves as a replacement for Red Hat JBoss Web Server 5.7.4. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5709-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 7.0 to SDK 7.0.112 and Runtime 7.0.12. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5522-2 - The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.
Plus, many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record.
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487,
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.