Headline
RHSA-2022:6392: Red Hat Security Advisory: RHV RHEL Host (ovirt-host) [ovirt-4.5.2] security update
Updated host packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-09-08
Updated:
2022-09-08
RHSA-2022:6392 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: RHV RHEL Host (ovirt-host) [ovirt-4.5.2] security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated host packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The ovirt-host package consolidates host package requirements into a single meta package.
Security Fix(es):
- moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- The hosted-engine-ha binaries have been moved from /usr/share to /usr/libexec. As a result, the hosted-engine --clean-metadata command fails. With this release, you must use the new path for the command to succeed: /usr/libexec/ovirt-hosted-engine-ha/ovirt-ha-agent (BZ#2105781)
- A new warning has been added to the vdsm-tool to protect users from using the unsupported user_friendly_names multipath configuration. The following is an example of the output:
$ vdsm-tool is-configured --module multipath
WARNING: Invalid configuration: ‘user_friendly_names’ is enabled in multipath configuration:
section1 {
key1 value1
user_friendly_names yes
key2 value2
}
section2 {
user_friendly_names yes
}
This configuration is not supported and may lead to storage domain corruption. (BZ#1793207)
Affected Products
- Red Hat Virtualization 4 for RHEL 8 x86_64
- Red Hat Virtualization Host 4 for RHEL 8 x86_64
- Red Hat Virtualization for IBM Power LE 4 for RHEL 8 ppc64le
Fixes
- BZ - 1793207 - [RFE] Notify if multipath User Friendly Names are used
- BZ - 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
- BZ - 2105781 - hosted-engine --clean-metadata fails because ovirt-ha-agent has changed location
- BZ - 2117558 - hosted-engine deploy failed since “Failed to configure OVN controller”
Red Hat Virtualization 4 for RHEL 8
SRPM
cockpit-ovirt-0.16.2-1.el8ev.src.rpm
SHA-256: fe440e157b26284eae73b4f6e0c1574f45dc931aff3f798dd717e52b75520cf3
mom-0.6.3-1.el8ev.src.rpm
SHA-256: 1362f857e8589b157d6d5c9d0debc76def6091462a59554352e2237f4598f816
ovirt-host-4.5.0-3.1.el8ev.src.rpm
SHA-256: c1a85fcd437b123d30b7ce906e63915d6905681543f6d5f21204c042e1f079b4
ovirt-hosted-engine-setup-2.6.5-1.1.el8ev.src.rpm
SHA-256: e2d34f4a88a5dd9453680a903be2394cb717807eb3d42a8f0df6317b35a0e481
vdsm-4.50.2.2-1.el8ev.src.rpm
SHA-256: 469668e6200ce97132da192378745e3d7ebf1da0fe6bbc326ba438fc6de1ee25
x86_64
cockpit-ovirt-dashboard-0.16.2-1.el8ev.noarch.rpm
SHA-256: bd7b3a2dee37adc3da6d783a6c0610442100b3d52033025f19d423bf6bc8ae15
mom-0.6.3-1.el8ev.noarch.rpm
SHA-256: f3585b75cb356104a9a4a81077ac7f8ad7d6d77ec2a909c20c21b2849ca4448c
ovirt-host-4.5.0-3.1.el8ev.x86_64.rpm
SHA-256: 415a5aaa1389d2318e0ea152e60c707da27ad21335b30bf3c0306a32a6a0f3f6
ovirt-host-dependencies-4.5.0-3.1.el8ev.x86_64.rpm
SHA-256: 902fc3353dd6fdec293b005ba9a85d0453bb78c6dd09b0b041872891f45e9752
ovirt-hosted-engine-setup-2.6.5-1.1.el8ev.noarch.rpm
SHA-256: 795739a3a287579b8af7bccd6e6e9bf00c4cf24adc1bd8bf4886cc202aae208b
vdsm-4.50.2.2-1.el8ev.x86_64.rpm
SHA-256: e708c83930290d3de839f90b821cba4d393e33044bdaf4ce0cae0462f152dd5a
vdsm-api-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: c1a81830278175f913599ba77a693f34f1939b57a7e633203b55f593cd9ec7ed
vdsm-client-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 4757d4c560194b624586d23c89e2de98a70b8f6a7dae7c51dbd268a29e7bb9ef
vdsm-common-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: a57e322e6f5ffeb4c9900becd9afe699471eba2a475b7f42a8f599794953cc4a
vdsm-gluster-4.50.2.2-1.el8ev.x86_64.rpm
SHA-256: c5c4eab3c810df6a7b744d14ff56c07e64cd766f7718bd74ad8d185e17b7615b
vdsm-hook-checkips-4.50.2.2-1.el8ev.x86_64.rpm
SHA-256: 19bcfbdd7626f0ac9bd15c44bfeae0fcee473e1ac3d6281dab70c7f55b38830d
vdsm-hook-cpuflags-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: c6e1aa2ae0bd9036c3b0e1b92e8044f356d3ee315edfd3e3dc5f7b02304cbdf6
vdsm-hook-ethtool-options-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 81dd5e96556f955dece1cb207ccdc7d74f8c76cac86b55af21ffb6effc1ecb7b
vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.x86_64.rpm
SHA-256: 387f232ea3094381889728a7e12d399981b84bdda018e33c15c1200d08066852
vdsm-hook-fcoe-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 459a41b79d9e77381129c1398084c116384f0481ca2ae329a284d7bcc2aa1e9b
vdsm-hook-localdisk-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 89ce156f77060d1900d63f02c50845a2535e46decff2f5ed74b4a5d4f36e4901
vdsm-hook-nestedvt-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 1b2fc07658fb9a90c4b1dba9648027d46626f193c663f0adce22bb581fefcda4
vdsm-hook-openstacknet-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 63e2e25913c0adcea9cc15bc81cc8d0b5125f3d6c73049407870c89267351ea5
vdsm-hook-vhostmd-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: a44c5a0219d74c37eab52937e6a0ee1ea8a5aeebe06f0eae00e9420e131b98fc
vdsm-http-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 5144123e0f993c3657f870b42c7a269b498edd942a8713d978b87f6a7751d4ce
vdsm-jsonrpc-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 17b246668e58e7ab6b5e541702d0509ff416c395220ee1bf7f6455cb14507b2a
vdsm-network-4.50.2.2-1.el8ev.x86_64.rpm
SHA-256: c6bab5e3b35747c5e59ee9fe32d85c6b942c27e9efb1490983f47f8045e23ae6
vdsm-python-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 2dfa5baaf345930a4d1786a5e2f7985c0172afeac9c9665f2b8bde42df899fe6
vdsm-yajsonrpc-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 660853c95db0c6e84be998df347147a33a8685c6c2cd2bc5573971c238618244
Red Hat Virtualization Host 4 for RHEL 8
SRPM
vdsm-4.50.2.2-1.el8ev.src.rpm
SHA-256: 469668e6200ce97132da192378745e3d7ebf1da0fe6bbc326ba438fc6de1ee25
x86_64
vdsm-hook-checkips-4.50.2.2-1.el8ev.x86_64.rpm
SHA-256: 19bcfbdd7626f0ac9bd15c44bfeae0fcee473e1ac3d6281dab70c7f55b38830d
vdsm-hook-cpuflags-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: c6e1aa2ae0bd9036c3b0e1b92e8044f356d3ee315edfd3e3dc5f7b02304cbdf6
vdsm-hook-ethtool-options-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 81dd5e96556f955dece1cb207ccdc7d74f8c76cac86b55af21ffb6effc1ecb7b
vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.x86_64.rpm
SHA-256: 387f232ea3094381889728a7e12d399981b84bdda018e33c15c1200d08066852
vdsm-hook-fcoe-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 459a41b79d9e77381129c1398084c116384f0481ca2ae329a284d7bcc2aa1e9b
vdsm-hook-localdisk-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 89ce156f77060d1900d63f02c50845a2535e46decff2f5ed74b4a5d4f36e4901
vdsm-hook-nestedvt-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 1b2fc07658fb9a90c4b1dba9648027d46626f193c663f0adce22bb581fefcda4
vdsm-hook-openstacknet-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 63e2e25913c0adcea9cc15bc81cc8d0b5125f3d6c73049407870c89267351ea5
vdsm-hook-vhostmd-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: a44c5a0219d74c37eab52937e6a0ee1ea8a5aeebe06f0eae00e9420e131b98fc
Red Hat Virtualization for IBM Power LE 4 for RHEL 8
SRPM
mom-0.6.3-1.el8ev.src.rpm
SHA-256: 1362f857e8589b157d6d5c9d0debc76def6091462a59554352e2237f4598f816
ovirt-host-4.5.0-3.1.el8ev.src.rpm
SHA-256: c1a85fcd437b123d30b7ce906e63915d6905681543f6d5f21204c042e1f079b4
vdsm-4.50.2.2-1.el8ev.src.rpm
SHA-256: 469668e6200ce97132da192378745e3d7ebf1da0fe6bbc326ba438fc6de1ee25
ppc64le
mom-0.6.3-1.el8ev.noarch.rpm
SHA-256: f3585b75cb356104a9a4a81077ac7f8ad7d6d77ec2a909c20c21b2849ca4448c
ovirt-host-4.5.0-3.1.el8ev.ppc64le.rpm
SHA-256: 484633230e244d1b854df818fdc2e8a56d723e499e186a15f22c8ce1ad523115
ovirt-host-dependencies-4.5.0-3.1.el8ev.ppc64le.rpm
SHA-256: df1ab3eaa07c24b74161f89a1cc70809ea034f1b4e455a3ad5b4b75b485c7c15
vdsm-4.50.2.2-1.el8ev.ppc64le.rpm
SHA-256: 26588931e6b177fe58e1b22a6d8403846fdf68900b2798991233dc6ec8ec65bf
vdsm-api-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: c1a81830278175f913599ba77a693f34f1939b57a7e633203b55f593cd9ec7ed
vdsm-client-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 4757d4c560194b624586d23c89e2de98a70b8f6a7dae7c51dbd268a29e7bb9ef
vdsm-common-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: a57e322e6f5ffeb4c9900becd9afe699471eba2a475b7f42a8f599794953cc4a
vdsm-hook-checkips-4.50.2.2-1.el8ev.ppc64le.rpm
SHA-256: f6a124cb7444f33377a699394badf4fc7b834ecde5fabc8222f0051bd6e45222
vdsm-hook-cpuflags-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: c6e1aa2ae0bd9036c3b0e1b92e8044f356d3ee315edfd3e3dc5f7b02304cbdf6
vdsm-hook-ethtool-options-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 81dd5e96556f955dece1cb207ccdc7d74f8c76cac86b55af21ffb6effc1ecb7b
vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.ppc64le.rpm
SHA-256: 6834b98bfb4103216353cc2f466bb66495b59c7bb17343cf2db0e941d87ba14a
vdsm-hook-fcoe-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 459a41b79d9e77381129c1398084c116384f0481ca2ae329a284d7bcc2aa1e9b
vdsm-hook-localdisk-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 89ce156f77060d1900d63f02c50845a2535e46decff2f5ed74b4a5d4f36e4901
vdsm-hook-nestedvt-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 1b2fc07658fb9a90c4b1dba9648027d46626f193c663f0adce22bb581fefcda4
vdsm-hook-openstacknet-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 63e2e25913c0adcea9cc15bc81cc8d0b5125f3d6c73049407870c89267351ea5
vdsm-hook-vhostmd-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: a44c5a0219d74c37eab52937e6a0ee1ea8a5aeebe06f0eae00e9420e131b98fc
vdsm-http-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 5144123e0f993c3657f870b42c7a269b498edd942a8713d978b87f6a7751d4ce
vdsm-jsonrpc-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 17b246668e58e7ab6b5e541702d0509ff416c395220ee1bf7f6455cb14507b2a
vdsm-network-4.50.2.2-1.el8ev.ppc64le.rpm
SHA-256: fda7f0b4b72bf28419d5743f454f050f38cdd1cf4dc41afb0251b9e12168c943
vdsm-python-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 2dfa5baaf345930a4d1786a5e2f7985c0172afeac9c9665f2b8bde42df899fe6
vdsm-yajsonrpc-4.50.2.2-1.el8ev.noarch.rpm
SHA-256: 660853c95db0c6e84be998df347147a33a8685c6c2cd2bc5573971c238618244
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
New packages for Red Hat Ceph Storage 6.1 are now available on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4231: A flaw was found in the angular/core package. Affected versions of this package are vulnerable to Cross-site scripting (XSS) in development, with Server-side rendering (SSR enabled). * CVE-2022-31129: A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constru...
Red Hat Security Advisory 2023-1047-01 - A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.
Red Hat Security Advisory 2023-1044-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...
A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.
Red Hat Security Advisory 2022-7313-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Issues addressed include denial of service and remote SQL injection vulnerabilities.
Red Hat Advanced Cluster Management for Kubernetes 2.4.8 General Availability release images, which fix security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-35948: nodejs: undici vulnerable to CRLF via content headers * CVE-2022-35949: n...
Red Hat Security Advisory 2022-7055-01 - An update is now available for Red Hat Openshift distributed tracing 2.6.0. Issues addressed include denial of service and traversal vulnerabilities.
An update is now available for Red Hat Openshift distributed tracing 2.6.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-1650: eventsource: Exposure of Sensitive Information * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-31129: moment: inefficient parsing algorithm resulting ...
An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22569: protobuf-java: potential DoS in the parsing procedure for binary data * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: net...
An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7746: chart.js: prototype pollution * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2021-23436: immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477 * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-202...
Multicluster Engine for Kubernetes 2.0.2 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-36067: vm2: Sandbox Escape in vm2
Red Hat Security Advisory 2022-6392-01 - The ovirt-host package consolidates host package requirements into a single meta package. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-6370-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix security issues and several bugs. Issues addressed include a denial of service vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.6.0 General Availability release images, which fix security issues and bugs. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_a...
Red Hat Security Advisory 2022-6277-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2022-6272-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2022-6271-01 - This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Service Mesh 2.1.5 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group * CVE-2022-30629: golang: crypto/tls: session t...
Red Hat Security Advisory 2022-5915-01 - Red Hat Kiali for OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers containers for the release. Issues addressed include a denial of service vulnerability.
Red Hat Kiali for OpenShift Service Mesh 2.2 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
An update for openshift-istio-kiali-rhel8-container is now available for OpenShift Service Mesh 2.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
### Impact * using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs * noticeable slowdown is observed with inputs above 10k characters * users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks ### Patches The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. ### Workarounds In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities. ### References There is an excellent writeup of the issue here: https://github.com/mo...