Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2024-7590-03

Red Hat Security Advisory 2024-7590-03 - Red Hat OpenShift Container Platform release 4.12.67 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, open redirection, and out of bounds write vulnerabilities.

Packet Storm
#vulnerability#web#red_hat#js#kubernetes#rce#rpm

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7590.json

Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat’s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

  • Packet Storm Staff

====================================================================
Red Hat Security Advisory

Synopsis: Important: OpenShift Container Platform 4.12.67 bug fix and security update
Advisory ID: RHSA-2024:7590-03
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2024:7590
Issue date: 2024-10-09
Revision: 03
CVE Names: CVE-2024-2961
====================================================================

Summary:

Red Hat OpenShift Container Platform release 4.12.67 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.67. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:7592

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

  • glibc: Out of bounds write in iconv may lead to remote code execution
    (CVE-2024-2961)
  • webob: WebOb’s location header normalization during redirect leads to
    open redirect (CVE-2024-42353)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-2961

References:

https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=2273404
https://issues.redhat.com/browse/OCPBUGS-38610
https://issues.redhat.com/browse/OCPBUGS-41585
https://issues.redhat.com/browse/OCPBUGS-41600
https://issues.redhat.com/browse/OCPBUGS-41854
https://issues.redhat.com/browse/OCPBUGS-41881
https://issues.redhat.com/browse/OCPBUGS-42161
https://issues.redhat.com/browse/OCPBUGS-42166

Related news

Red Hat Security Advisory 2024-9989-03

Red Hat Security Advisory 2024-9989-03 - An update for python-webob is now available for Red Hat OpenStack Platform 17.1.

Red Hat Security Advisory 2024-9983-03

Red Hat Security Advisory 2024-9983-03 - An update for python-webob is now available for Red Hat OpenStack Platform 17.1.

Red Hat Security Advisory 2024-8235-03

Red Hat Security Advisory 2024-8235-03 - Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-7941-03

Red Hat Security Advisory 2024-7941-03 - Red Hat OpenShift Container Platform release 4.13.52 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include an open redirection vulnerability.

Red Hat Security Advisory 2024-7594-03

Red Hat Security Advisory 2024-7594-03 - Red Hat OpenShift Container Platform release 4.15.36 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-7599-03

Red Hat Security Advisory 2024-7599-03 - Red Hat OpenShift Container Platform release 4.16.16 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, integer overflow, and out of bounds write vulnerabilities.

Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting. Tracked as CVE-2024-34102 (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming,

Red Hat Security Advisory 2024-6827-03

Red Hat Security Advisory 2024-6827-03 - Red Hat OpenShift Container Platform release 4.16.14 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include an open redirection vulnerability.

Ubuntu Security Notice USN-6984-1

Ubuntu Security Notice 6984-1 - It was discovered that WebOb incorrectly handled certain URLs. An attacker could possibly use this issue to control a redirect or forward to another URL.

GHSA-mg3v-6m49-jhp3: WebOb's location header normalization during redirect leads to open redirect

### Impact When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. ``` >>> parse.urlparse("//example.com/test/path") ParseResult(scheme='', netloc='example.com', path='/test/path', params='', query='', fragment='') ``` WebOb uses `urljoin` to take the request URI and joining the redirect location, so assuming the request URI is: `https://example.org//example.com/some/path`, and the URL to redirect to (for example by adding a slash automatically) is `//example.com/some/path/` that gets turned by `urljoin` into: ``` >>> parse.urljoin("https://example.org//attacker.com/some/path", "//attacker....

Red Hat Security Advisory 2024-4126-03

Red Hat Security Advisory 2024-4126-03 - This is release 1.4 of the container images for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site.

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites. More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report. Polyfill is a popular library that

Red Hat Security Advisory 2024-3464-03

Red Hat Security Advisory 2024-3464-03 - An update for glibc is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include buffer overflow, code execution, null pointer, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-3423-03

Red Hat Security Advisory 2024-3423-03 - An update for glibc is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include buffer overflow, null pointer, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-3339-03

Red Hat Security Advisory 2024-3339-03 - An update for glibc is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer overflow, null pointer, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-2799-03

Red Hat Security Advisory 2024-2799-03 - An update for glibc is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, code execution, null pointer, and out of bounds write vulnerabilities.

Ubuntu Security Notice USN-6737-2

Ubuntu Security Notice 6737-2 - USN-6737-1 fixed a vulnerability in the GNU C Library. This update provides the corresponding update for Ubuntu 24.04 LTS. Charles Fol discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code.

Ubuntu Security Notice USN-6737-1

Ubuntu Security Notice 6737-1 - Charles Fol discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution