Headline
Red Hat Security Advisory 2023-3557-01
Red Hat Security Advisory 2023-3557-01 - OpenShift GitOps KAM OpenShift GitOps Kubernetes Application Manager CLI tool. Issues addressed include a bypass vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: openshift-gitops-kam security update
Advisory ID: RHSA-2023:3557-01
Product: Red Hat OpenShift GitOps
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3557
Issue date: 2023-06-09
CVE Names: CVE-2022-1996
=====================================================================
- Summary:
An update for openshift-gitops-kam is now available for Red Hat OpenShift
GitOps 1.9.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat OpenShift GitOps 1.9 - aarch64, ppc64le, s390x, x86_64
- Description:
OpenShift GitOps KAM OpenShift GitOps Kubernetes Application Manager CLI
tool
Security Fix(es):
- go-restful: Authorization Bypass Through User-Controlled Key
(CVE-2022-1996)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2094982 - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key
- Package List:
Red Hat OpenShift GitOps 1.9:
Source:
openshift-gitops-kam-1.9.0-102.el8.src.rpm
aarch64:
openshift-gitops-kam-1.9.0-102.el8.aarch64.rpm
ppc64le:
openshift-gitops-kam-1.9.0-102.el8.ppc64le.rpm
s390x:
openshift-gitops-kam-1.9.0-102.el8.s390x.rpm
x86_64:
openshift-gitops-kam-1.9.0-102.el8.x86_64.rpm
openshift-gitops-kam-redistributable-1.9.0-102.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-1996
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/container-platform/latest/cicd/gitops/gitops-release-notes.html
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZIPNCdzjgjWX9erEAQh1Ww/+JHqFaATCJx4wV/eNf2Voga90OOnM4yiM
PnX+pDhacQH9CEZ4YS5UANHHoVgU9BFTszjRWwlMH/jzaCnIoo9y2DkPkSJXCDg5
jamfrxWo66Run78MoriEd0AvY1z8/TdD9iCp1bNr0yA2Q2DVy/gUrpbDcmDQ+ikh
WG64s9D/bTTPbTQbDNG6LK8WsJ4DhjuznrYgkkQGngpjGBMDqYzLe95f4GeU6Csy
dTCNCFokKSa0Dj9a+R/Wo3Vb1/OK36Pty/Oy2LsYfnTG6Cj8fWdGiYIJt+OWT3ak
XcG9PuRMQbplOCTM4Cs4YbSt1i6RP+BcJkcM7TY/cJ0tQutjfGZR8spXUfVpcIFs
MmibFrONOwr0m/b7xRab7p5NnSGlxHXqTBKT+xkmc+5IgLtqGGXVab3/pqz6W9nf
hXkeBFKcnflPuMMbn6r4fBuuceFiISltYjUJO/mIUsAy8NYSnBt1rox05DSVwkpo
643iwPTxuZkZlZIU49rXhjNQkmECijFyDUSWiuDvKJ3/wSf8IMyE0X8cQKsFQ4BQ
uZEx5IuoQItaHhBC/L9DsZRsHTAsphZsb6SpRa2wXdB7Qg3l/NCyJnoJVriQggDs
xhv8AvCPK4xE41AhrWUq257M78cuXA0X1+DjmmIJl+VnW2UZO+xSH1NRzy2swLGY
KCmPGA536Jk=
=4yzO
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1996: A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users.
Red Hat Security Advisory 2023-3229-01 - An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.8. Red Hat Product Security has rated this update as having a security impact of Important. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-0814-01 - The Cryostat 2 on RHEL 8 container images have been updated to fix "CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key" and to address the following security advisory: RHSA-2023:0625 Users of Cryostat 2 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. Issues addressed include bypass, code execution, and integer overflow vulnerabilities.
Updated Cryostat 2 on RHEL 8 container images are now availableThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1996: A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users.
Red Hat Security Advisory 2022-8609-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.9.7 images. Issues addressed include a bypass vulnerability.
Red Hat OpenShift Virtualization release 4.9.7 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key
Red Hat Security Advisory 2022-6351-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.10.5 images: RHEL-8-CNV-4.10. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
Release of OpenShift Serverless 1.24.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * C...
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.