Headline
Red Hat Security Advisory 2022-2280-01
Red Hat Security Advisory 2022-2280-01 - Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.705. Issues addressed include cross site scripting and denial of service vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 3.11.705 security update
Advisory ID: RHSA-2022:2280-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:2280
Issue date: 2022-05-31
CVE Names: CVE-2022-21698 CVE-2022-29036 CVE-2022-29046
====================================================================
- Summary:
Red Hat OpenShift Container Platform release 3.11.705 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container
Platform 3.11.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.11 - noarch, ppc64le, x86_64
- Description:
Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 3.11.705. See the following advisory for the container images for
this release:
https://access.redhat.com/errata/RHSA-2022:2281
Security Fix(es):
- credentials: Stored XSS vulnerabilities in jenkins plugin
(CVE-2022-29036) - subversion: Stored XSS vulnerabilities in Jenkins subversion plugin
(CVE-2022-29046) - prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)listed in the References section.
All OpenShift Container Platform 3.11 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/3.11/updating/updating-cluster-cli.html
- Solution:
Before applying this update, ensure all previously released errata relevant
to your system is applied.
For OpenShift Container Platform 3.11 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/3.11/upgrading/index.html
- Bugs fixed (https://bugzilla.redhat.com/):
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2069201 - during node scaleup sdn-pod crashloopback could not start DNS, unable to read config file: open /etc/origin/node/resolv.conf: no such file or directory
2071682 - sdn pod is crashing with panic: runtime error: invalid memory address or nil pointer dereference
2074847 - CVE-2022-29036 credentials: Stored XSS vulnerabilities in jenkins plugin
2074851 - CVE-2022-29046 subversion: Stored XSS vulnerabilities in Jenkins subversion plugin
- Package List:
Red Hat OpenShift Container Platform 3.11:
Source:
atomic-enterprise-service-catalog-3.11.705-1.g2e6be86.el7.src.rpm
atomic-openshift-3.11.705-1.git.0.7a17a5d.el7.src.rpm
atomic-openshift-cluster-autoscaler-3.11.705-1.g99b2acf.el7.src.rpm
atomic-openshift-descheduler-3.11.705-1.gd435537.el7.src.rpm
atomic-openshift-dockerregistry-3.11.705-1.g0fa231c.el7.src.rpm
atomic-openshift-metrics-server-3.11.705-1.gf8bf728.el7.src.rpm
atomic-openshift-node-problem-detector-3.11.705-1.gc8f26da.el7.src.rpm
atomic-openshift-service-idler-3.11.705-1.g39cfc66.el7.src.rpm
atomic-openshift-web-console-3.11.705-1.ge59c860.el7.src.rpm
golang-github-openshift-oauth-proxy-3.11.705-1.gedebe84.el7.src.rpm
golang-github-prometheus-alertmanager-3.11.705-1.g13de638.el7.src.rpm
golang-github-prometheus-node_exporter-3.11.705-1.g609cd20.el7.src.rpm
golang-github-prometheus-prometheus-3.11.705-1.g99aae51.el7.src.rpm
jenkins-2-plugins-3.11.1650628887-1.el7.src.rpm
openshift-ansible-3.11.705-1.git.0.ad19a48.el7.src.rpm
openshift-enterprise-autoheal-3.11.705-1.gf2f435d.el7.src.rpm
openshift-enterprise-cluster-capacity-3.11.705-1.g22be164.el7.src.rpm
openshift-kuryr-3.11.705-1.g0c4bf66.el7.src.rpm
noarch:
atomic-openshift-docker-excluder-3.11.705-1.git.0.7a17a5d.el7.noarch.rpm
atomic-openshift-excluder-3.11.705-1.git.0.7a17a5d.el7.noarch.rpm
jenkins-2-plugins-3.11.1650628887-1.el7.noarch.rpm
openshift-ansible-3.11.705-1.git.0.ad19a48.el7.noarch.rpm
openshift-ansible-docs-3.11.705-1.git.0.ad19a48.el7.noarch.rpm
openshift-ansible-playbooks-3.11.705-1.git.0.ad19a48.el7.noarch.rpm
openshift-ansible-roles-3.11.705-1.git.0.ad19a48.el7.noarch.rpm
openshift-ansible-test-3.11.705-1.git.0.ad19a48.el7.noarch.rpm
openshift-kuryr-cni-3.11.705-1.g0c4bf66.el7.noarch.rpm
openshift-kuryr-common-3.11.705-1.g0c4bf66.el7.noarch.rpm
openshift-kuryr-controller-3.11.705-1.g0c4bf66.el7.noarch.rpm
python2-kuryr-kubernetes-3.11.705-1.g0c4bf66.el7.noarch.rpm
ppc64le:
atomic-enterprise-service-catalog-3.11.705-1.g2e6be86.el7.ppc64le.rpm
atomic-enterprise-service-catalog-svcat-3.11.705-1.g2e6be86.el7.ppc64le.rpm
atomic-openshift-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-clients-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-cluster-autoscaler-3.11.705-1.g99b2acf.el7.ppc64le.rpm
atomic-openshift-descheduler-3.11.705-1.gd435537.el7.ppc64le.rpm
atomic-openshift-hyperkube-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-hypershift-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-master-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-metrics-server-3.11.705-1.gf8bf728.el7.ppc64le.rpm
atomic-openshift-node-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-node-problem-detector-3.11.705-1.gc8f26da.el7.ppc64le.rpm
atomic-openshift-pod-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-sdn-ovs-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-service-idler-3.11.705-1.g39cfc66.el7.ppc64le.rpm
atomic-openshift-template-service-broker-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-tests-3.11.705-1.git.0.7a17a5d.el7.ppc64le.rpm
atomic-openshift-web-console-3.11.705-1.ge59c860.el7.ppc64le.rpm
golang-github-openshift-oauth-proxy-3.11.705-1.gedebe84.el7.ppc64le.rpm
openshift-enterprise-autoheal-3.11.705-1.gf2f435d.el7.ppc64le.rpm
openshift-enterprise-cluster-capacity-3.11.705-1.g22be164.el7.ppc64le.rpm
prometheus-3.11.705-1.g99aae51.el7.ppc64le.rpm
prometheus-alertmanager-3.11.705-1.g13de638.el7.ppc64le.rpm
prometheus-node-exporter-3.11.705-1.g609cd20.el7.ppc64le.rpm
x86_64:
atomic-enterprise-service-catalog-3.11.705-1.g2e6be86.el7.x86_64.rpm
atomic-enterprise-service-catalog-svcat-3.11.705-1.g2e6be86.el7.x86_64.rpm
atomic-openshift-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-clients-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-cluster-autoscaler-3.11.705-1.g99b2acf.el7.x86_64.rpm
atomic-openshift-descheduler-3.11.705-1.gd435537.el7.x86_64.rpm
atomic-openshift-dockerregistry-3.11.705-1.g0fa231c.el7.x86_64.rpm
atomic-openshift-hyperkube-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-hypershift-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-master-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-metrics-server-3.11.705-1.gf8bf728.el7.x86_64.rpm
atomic-openshift-node-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-node-problem-detector-3.11.705-1.gc8f26da.el7.x86_64.rpm
atomic-openshift-pod-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-service-idler-3.11.705-1.g39cfc66.el7.x86_64.rpm
atomic-openshift-template-service-broker-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-tests-3.11.705-1.git.0.7a17a5d.el7.x86_64.rpm
atomic-openshift-web-console-3.11.705-1.ge59c860.el7.x86_64.rpm
golang-github-openshift-oauth-proxy-3.11.705-1.gedebe84.el7.x86_64.rpm
openshift-enterprise-autoheal-3.11.705-1.gf2f435d.el7.x86_64.rpm
openshift-enterprise-cluster-capacity-3.11.705-1.g22be164.el7.x86_64.rpm
prometheus-3.11.705-1.g99aae51.el7.x86_64.rpm
prometheus-alertmanager-3.11.705-1.g13de638.el7.x86_64.rpm
prometheus-node-exporter-3.11.705-1.g609cd20.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-29036
https://access.redhat.com/security/cve/CVE-2022-29046
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYpXPDtzjgjWX9erEAQj3EQ//bAU6OGYpYozZ8bqNW0BwZ5HMgbG4bC5r
HoVHPe8YfWgxo3iiPj9XqwtCu2TWP6/Bb9709rHPrO9jIkUrMKA+leEvlMAee4ap
vLsMprMUFByklLMzrnbeiElF6MiKHgwITyUOfLhMQPOMeEQpRUADt1IyOJNQNqQy
s/k80tPRSJPmjneclZ9kbChcYVO4o/vwaMMCximSM6easRgszxjO/t1y30ohMJGq
VXPu9hpIOLS2JjXYev8tr/SM34QAWLv87iJh7ZiRcLRU6QwnEvnYphv3j4YiNLRK
qgUy3j5nrqVf//xzrdiUuHnfOGCj8fftSI5BMUYj4xlI21f5Gzd5JXDhY/0Mlvku
VDS2LdgznjjNnrhLmCdssRhDU75fL71Nx6Mqwmc9fH15FeDCKFb/OjnrAo4eSpIc
d6zPQrLFJJGvlF3Kio6hHe4YKFdlpuN+9OwGbxWTedLDrGBxjUoDB+l7c7e0m2tP
Ty98nAt0g0Bi7ZK3kOs/fKPP2+zkGT96VMO4MFP1QQsPoc+NqkYw4Egi405hB1aM
NppkJUfpLl/neyVoYXWP6nOnU9jJkDCaZyVczKUzxB20WG0KFKPHTaj9Libf44Iz
7cdRlQuSL4Qpdyl3Obh29IOXc78TfZUyfi7Qc9zJUBYyyJIydrR1yq9vhlMk/Wsp
ZTrOz2jFz8w=Ljeh
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-5314-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.
Red Hat OpenShift Container Platform release 4.11.39 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHan...
Red Hat Security Advisory 2023-1158-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.31. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-0652-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.27. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.
Red Hat Security Advisory 2022-9096-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23648: sanitize-url: XSS due to improper sanitization in sanitizeUrl function * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21673: grafana: Forward OAuth Identity Token can allow users to access some data sources * CVE-2022-216...
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23648: sanitize-url: XSS due to improper sanitization in sanitizeUrl function * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21673: grafana: Forward OAuth Identity Token can allow users to access some data sources * CVE-2022-2169...
OpenShift API for Data Protection (OADP) 1.0.5 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter
Red Hat OpenShift Container Platform release 4.11.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter
Red Hat Security Advisory 2022-6526-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.11.0 images: RHEL-8-CNV-4.11. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-6290-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. Issues addressed include a denial of service vulnerability.
Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.11.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23440: nodejs-set-value: type confusion allows bypass of CVE-2019-10747 * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-...
Red Hat Security Advisory 2022-6051-01 - An update is now available for RHOL-5.5-RHEL-8. Issues addressed include denial of service, man-in-the-middle, and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-6066-01 - The etcd packages provide a highly available key-value store for shared configuration. Issues addressed include a denial of service vulnerability.
An update for etcd is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read
Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2022-5068-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...
Apple Security Advisory 2022-07-20-2 - macOS Monterey 12.5 addresses bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.
Red Hat Security Advisory 2022-4947-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.59. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2022-5026-01 - This advisory contains the following OpenShift Virtualization 4.10.2 images: RHEL-8-CNV-4.10. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.6.59 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion: Stored XSS vu...
Red Hat OpenShift Virtualization release 4.10.2 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter
Red Hat Security Advisory 2022-4909-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.52. Issues addressed include a cross site scripting vulnerability.
Red Hat OpenShift Container Platform release 4.7.52 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion: Stored XSS vulnerabilities in Jenkins subversion plugin * CVE-2022-29047: Pipeline Shared Groov...
Red Hat Security Advisory 2022-2281-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 3.11.705.
Red Hat Security Advisory 2022-2281-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 3.11.705.
Red Hat Security Advisory 2022-2281-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 3.11.705.
Red Hat OpenShift Container Platform release 3.11.705 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1677: openshift/router: route hijacking attack via crafted HAProxy configuration file
Red Hat OpenShift Container Platform release 3.11.705 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1677: openshift/router: route hijacking attack via crafted HAProxy configuration file
Red Hat OpenShift Container Platform release 3.11.705 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1677: openshift/router: route hijacking attack via crafted HAProxy configuration file
Red Hat OpenShift Container Platform release 3.11.705 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion:...
Red Hat OpenShift Container Platform release 3.11.705 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion:...
Red Hat OpenShift Container Platform release 3.11.705 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion:...
Red Hat Security Advisory 2022-4668-01 - Red Hat OpenShift Virtualization release 4.10.1 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-2205-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.33. Issues addressed include a cross site scripting vulnerability.
Red Hat Security Advisory 2022-2205-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.33. Issues addressed include a cross site scripting vulnerability.
Red Hat Security Advisory 2022-4667-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.10.1 RPMs. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.9.33 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29041: Jira: Stored XSS vulnerabilities in Jenkins Jira plugin * CVE-2022-29046: subversion: Stored XSS vulnerabil...
Red Hat OpenShift Container Platform release 4.9.33 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29041: Jira: Stored XSS vulnerabilities in Jenkins Jira plugin * CVE-2022-29046: subversion: Stored XSS vulnerabil...
Red Hat Security Advisory 2022-2216-01 - Logging Subsystem 5.4.1 - Red Hat OpenShift. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
Red Hat Security Advisory 2022-2218-01 - Openshift Logging Bug Fix Release. Issues addressed include HTTP request smuggling, denial of service, and man-in-the-middle vulnerabilities.
Openshift Logging Bug Fix Release (5.3.7) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way * CVE-2021-43797: netty: control chars in header names may lead to HTTP request smuggling * CVE-2022-0759: kubeclient: kubeconfig parsing error can lead to...
Openshift Logging Bug Fix Release (5.2.10) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way * CVE-2021-43797: netty: control chars in header names may lead to HTTP request smuggling * CVE-2022-0759: kubeclient: kubeconfig parsing error can lead t...
Logging Subsystem 5.4.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way * CVE-2021-43797: netty: control chars in header names may lead to HTTP request smuggling * CVE-2022-21698: prometheus/client_golang: Denial of service u...
Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL.
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler th...