Headline
RHSA-2023:3353: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.9 security fixes and container updates
Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem.
- CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the sandbox. This vulnerability impacts the confidentiality, integrity, and availability of the system.
Issued:
2023-05-30
Updated:
2023-05-30
RHSA-2023:3353 - Security Advisory
- Overview
- Updated Images
Synopsis
Critical: Multicluster Engine for Kubernetes 2.0.9 security fixes and container updates
Type/Severity
Security Advisory: Critical
Topic
Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Description
Multicluster Engine for Kubernetes 2.0.9 images
Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.
You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.
Security fix(es):
- CVE-2023-32314 vm2: Sandbox Escape
- CVE-2023-32313 vm2: Inspect Manipulation
Affected Products
- multicluster engine for Kubernetes Text-only Advisories x86_64
Fixes
- BZ - 2208376 - CVE-2023-32314 vm2: Sandbox Escape
- BZ - 2208377 - CVE-2023-32313 vm2: Inspect Manipulation
CVEs
- CVE-2022-2795
- CVE-2022-2928
- CVE-2022-2929
- CVE-2022-36227
- CVE-2022-41973
- CVE-2023-27535
- CVE-2023-32313
- CVE-2023-32314
aarch64
multicluster-engine/agent-service-rhel8@sha256:2261e2b09a0268e1b3d3d724a19d28143ee79a8e8893eeaa245c2e1532f53c3c
multicluster-engine/apiserver-network-proxy-rhel8@sha256:48f0de02913516092b12c465cda8d28727f74761f959b01095e899d78a572b25
multicluster-engine/assisted-image-service-rhel8@sha256:62fcc5725fa25647bb7374ca5b4908c06a2f0d536dbd2c9857d79901b1962eeb
multicluster-engine/assisted-installer-agent-rhel8@sha256:c537b2fd79ff5677b481a991847e3d35ddf5344dd396a623fa4f5539a534dc6d
multicluster-engine/assisted-installer-reporter-rhel8@sha256:a06437ea0720649cf6dc3c51091784498984e91eb2cb40f3e421b81e5b430e1f
multicluster-engine/assisted-installer-rhel8@sha256:14545b7457624f21e89399946d6076ecd7f273b1f28e4753a3419aac785030b2
multicluster-engine/aws-encryption-provider-rhel8@sha256:a8eedeec3b46539001c366c9708377d987b94b96ae9844915ac1d7cd3fdac324
multicluster-engine/backplane-rhel8-operator@sha256:f43d72e6b78fe1ed5e85c250c274bdf9e7d1c2777b2a4d17831cc5a9b4b72241
multicluster-engine/cluster-api-provider-agent-rhel8@sha256:fd29d4478cc068da976e0b8d84f7fc069a19203bb06478c6cffe1b944da997b1
multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:fd29d4478cc068da976e0b8d84f7fc069a19203bb06478c6cffe1b944da997b1
multicluster-engine/cluster-api-provider-aws-rhel8@sha256:2c671b1a0c7cd823ee4a5a02829a76844c59bb4478b878bf15b767b08723ec8e
multicluster-engine/cluster-api-provider-azure-rhel8@sha256:f2007f1331b5bb946d1dcdcd1580ba2c8357876e406db8949f977aefd6b94e9c
multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:96b096df7a07a5a6a60816a4f16d0e12ea6fcdb10ac6263892c70b14d90e2d4c
multicluster-engine/cluster-api-rhel8@sha256:e8c7d436fc5efe507addf3d6394436d96656f57acb331c88a80d4588fc1c7663
multicluster-engine/cluster-curator-controller-rhel8@sha256:200d6ae3489e8560a72fb058eb17ca20a0f9aa6762784d24b6420558bb5c3dd5
multicluster-engine/clusterclaims-controller-rhel8@sha256:f4ada6be9752314e85a6e5cac9c58462eabf6ce5a2bda9e653edbcaf351cfdfb
multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:f039c93a70de032c496700dca31efd46052a5870224dac8adce8ed4e316b7ac9
multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:8509fd51a9f77f22bd9c12f31faf878ebe50866de3a2d65c7c1326328b557b7b
multicluster-engine/console-mce-rhel8@sha256:8509fd51a9f77f22bd9c12f31faf878ebe50866de3a2d65c7c1326328b557b7b
multicluster-engine/discovery-rhel8@sha256:66c99cdd8fbba62f9fc697db26da62bfa2a77cd2d5c7e08ba723fc39b450fb84
multicluster-engine/hive-rhel8@sha256:65fd935c66e42e8804e4e8700e67da91c9eda759d3539ef9ace47e12d8113703
multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:2c994cd5177e188800131808487583c88f62d598eb0704d6c8e3b0833aa40d48
multicluster-engine/hypershift-addon-rhel8-operator@sha256:2c994cd5177e188800131808487583c88f62d598eb0704d6c8e3b0833aa40d48
multicluster-engine/hypershift-deployment-controller-rhel8@sha256:4f88b08241302c02b3d9fcf773df518d00806e559e11f895b384ac3e534caece
multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:4f88b08241302c02b3d9fcf773df518d00806e559e11f895b384ac3e534caece
multicluster-engine/hypershift-rhel8-operator@sha256:341a8086d502ea4f1706817568472191a0844821eb1c9293a8dd9a5c90e82ba4
multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:f6c56bdaaaab11e1cc96cc788f490cc5cbaed305cdcc12fd29ade4e4bc61ec4d
multicluster-engine/managed-serviceaccount-rhel8@sha256:f6c56bdaaaab11e1cc96cc788f490cc5cbaed305cdcc12fd29ade4e4bc61ec4d
multicluster-engine/managedcluster-import-controller-rhel8@sha256:ab6f18d90ecc526fd657bbee0560fe34d0211cf59239056bbedece4f60234469
multicluster-engine/multicloud-manager-rhel8@sha256:54b68103fc74392147401e2a3fbe31b34e68b94119c466194f92616224a7aa21
multicluster-engine/must-gather-rhel8@sha256:a473b7ad9b73a9c4ed1a6249e1b840d8a7a3929663a42618853a9aa57eb51d6e
multicluster-engine/placement-rhel8@sha256:9036eb8f9bbcabb9127209e76857587ae00b1bd4abb279f8085f4ddb7fdb670f
multicluster-engine/provider-credential-controller-rhel8@sha256:14ddd3ed3d97510465834c5d387db929feee45f30f92a14f5988a5e1963f4db1
multicluster-engine/registration-operator-rhel8@sha256:0785de4c1f1422db8f2b22069ceaba204648dd8841e6e5407eef637ee9f1f101
multicluster-engine/registration-rhel8@sha256:0997ee6fece67968c91bba29c7dd88103cb75be35a593b5bca8af15231d8c641
multicluster-engine/work-rhel8@sha256:5eef116355fbfbc673b01543b7ba93ce51e5d7d71a64c112e7c440b7158f7139
ppc64le
multicluster-engine/agent-service-rhel8@sha256:4869e1fdf190ded10ef17c5ccb3b23e9375ed1244b3a48b33973c995e32ed99f
multicluster-engine/apiserver-network-proxy-rhel8@sha256:107788f4cd27d06024bf435313120ad20981f355fa11248422e6b1f28745211f
multicluster-engine/assisted-image-service-rhel8@sha256:3ec237de23aae0bad9f31a4c5e2621894f49ca3e7b2fa39df77967de4a717f7b
multicluster-engine/assisted-installer-reporter-rhel8@sha256:268062607d1e65e35fc95d3a27bb2575529dcca2d76a315dc562caaffede7eb0
multicluster-engine/assisted-installer-rhel8@sha256:c4bdeebc5e84338418be4556fb6c03972ce897484b07693a294a955bb83366b3
multicluster-engine/aws-encryption-provider-rhel8@sha256:2c39fc81402298d6ef1677970de3c3c44cf854104e0abf10d77c94e5a2261bbf
multicluster-engine/backplane-rhel8-operator@sha256:ae2b7eb41d40f1da1e9dbe2e6b048a51d9fdc12a7a855ae107018edede1b2841
multicluster-engine/cluster-api-provider-agent-rhel8@sha256:800b8bbe275b1b3cf7b7e437db0966b7b442a2bd00cba9f52700c7dd93974816
multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:800b8bbe275b1b3cf7b7e437db0966b7b442a2bd00cba9f52700c7dd93974816
multicluster-engine/cluster-api-provider-aws-rhel8@sha256:511b15228a3f185364d6a5b7bf2754f12ab1d64a3606b66409e923d992180a39
multicluster-engine/cluster-api-provider-azure-rhel8@sha256:c68df5edea5336baa36d8a5da7a984ba022aaec325f88106c2ad091cdf2e778a
multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:da116ea9cd01b75639112f1bbc6f2dd14f6a86e5e1b13a74761d198b0c8f9601
multicluster-engine/cluster-api-rhel8@sha256:6ab5eb72040053b3ed1ac22ad0b571f914468d324f48518a995a908685c84009
multicluster-engine/cluster-curator-controller-rhel8@sha256:448dfa626168fd2131533f646d236ee300ba8686cb071c08fa600ff99dd9fefd
multicluster-engine/clusterclaims-controller-rhel8@sha256:d2880c6928f9ca7e973215bdb59a8f1cb2a8aa9b1328f3dedfd196571070ca9b
multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:ea62621af6a433d479d1d7ee6afec8e698137530b78e6cac38876f600a19544b
multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:d455377cdb0adcc45f3ba62e1d890f6dec4bb9aae609397d93003efbf0d9c918
multicluster-engine/console-mce-rhel8@sha256:d455377cdb0adcc45f3ba62e1d890f6dec4bb9aae609397d93003efbf0d9c918
multicluster-engine/discovery-rhel8@sha256:3e40cfe0a355afcd75d6bb29e5ae29fc7c429ff62cdfbaa81b8e1fe5d4f53d7d
multicluster-engine/hive-rhel8@sha256:eb977a2dc747e00ef7bb783a32634c66da9fdc2e5ad66b4883fbb523b2a10d50
multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:4f5de3ffb168b08a0aa2cd65db4e001ed91e3b7ffee902bb634240f384568bf2
multicluster-engine/hypershift-addon-rhel8-operator@sha256:4f5de3ffb168b08a0aa2cd65db4e001ed91e3b7ffee902bb634240f384568bf2
multicluster-engine/hypershift-deployment-controller-rhel8@sha256:eab152eb08bb1d551989aa4ee2af8466a99518d35404c655487350feb2a9cc1a
multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:eab152eb08bb1d551989aa4ee2af8466a99518d35404c655487350feb2a9cc1a
multicluster-engine/hypershift-rhel8-operator@sha256:df5aa088d777554625b053733f60932695feb42cff9d2f73c059321a0a15dbea
multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:c6dee29e81d00383d63ec400ed905392b68f6b4f97e586cccbceadb20e1a6275
multicluster-engine/managed-serviceaccount-rhel8@sha256:c6dee29e81d00383d63ec400ed905392b68f6b4f97e586cccbceadb20e1a6275
multicluster-engine/managedcluster-import-controller-rhel8@sha256:5d4f9ee145f7a0f9c1971ab973c8e88ac893634d69741bc3a0c4595708760146
multicluster-engine/mce-operator-bundle@sha256:1e2b763fe6cb9321342fe3e0c1027a4353e746bfcece4b8f30cafe2cc209cbd3
multicluster-engine/multicloud-manager-rhel8@sha256:9abc3c64661ee1bd1af6600ca5e724ae9b0f8b2677ddd3edef9ac052b2541e73
multicluster-engine/must-gather-rhel8@sha256:d52570d7d90f8803ee9719bd90b56dbab61ea28d56e2b0034a2f5300eca99084
multicluster-engine/placement-rhel8@sha256:8c69cb0618b8d004214568923713abed56bed4019583cfe4a8af8407cda81d69
multicluster-engine/provider-credential-controller-rhel8@sha256:e55c635c45477301c952905721f02475c1c3a48b8c9b800ef4f4115f78199d9d
multicluster-engine/registration-operator-rhel8@sha256:98bac92d71c2f2fed9e98cf5a35ebac27ac165b357bdef3046924d24a9f19d8e
multicluster-engine/registration-rhel8@sha256:0496bfe34c5f3b5de165ff123dae2a60fa5f84d35af062df4eeeeca300746c29
multicluster-engine/work-rhel8@sha256:ebccb0a5ab1c0fc3153cd2249a07ff25faefdc8dc2ca20be992cd742ae636e4d
s390x
multicluster-engine/agent-service-rhel8@sha256:a3cb7366d847c3d7aefe52fc71021edf8e0f7eb930b322533812a2c4ac259006
multicluster-engine/apiserver-network-proxy-rhel8@sha256:cf1c0daf3a4ef32d2092d1ef0c1293404f026021f95af440c3b5c767e21d25a3
multicluster-engine/assisted-image-service-rhel8@sha256:bcd067a43bad5fee6eef49cf0717be95f875021fa1aff98ac5957e15e6159a02
multicluster-engine/aws-encryption-provider-rhel8@sha256:07ad9b5e43e2dd90755d9e41068b50fbc2159313cd229e51c3494c76d90b7cd3
multicluster-engine/backplane-rhel8-operator@sha256:eeaf91f260a21113a0289f62e5c20da6c069896ed1f06f5a6a631b4437880c47
multicluster-engine/cluster-api-provider-agent-rhel8@sha256:344806a130660942441e1e309f81b6475eeb897d7dd5e4eff783109c9b61a29f
multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:344806a130660942441e1e309f81b6475eeb897d7dd5e4eff783109c9b61a29f
multicluster-engine/cluster-api-provider-aws-rhel8@sha256:f0f0d050b27ec861a36b4f2c2885a6d5347b73e244c3b85309e4fa5732922b64
multicluster-engine/cluster-api-provider-azure-rhel8@sha256:7994cef63c713739bcb8b32377f4aee805bd44d0d8ff4c7131a66e8b3ead8a4b
multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:97aa06d48c4f5b74ac1b79d6b0ede53d2b7c23b43cde40d2bc89730ae462048a
multicluster-engine/cluster-api-rhel8@sha256:12a6d0dd6d8d5aba3efffff25cf859363e1dbf6b5c3e72787cd60eacf7355fec
multicluster-engine/cluster-curator-controller-rhel8@sha256:a7f341df16af4191acb081522e21bf15ef081d0e440ca84b400ea027196cc024
multicluster-engine/clusterclaims-controller-rhel8@sha256:13a90afcd193c84b67d2432946a9c74df45c3016756a3ad3d051fa01783b0e0d
multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:84a1c9a3fbc70d401c6d0574e3b4058520e826515de4a9d1226a151139839d59
multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:e220d630bf87607ae98a1543c9579db092eff39901949c21d587d1254590ccf7
multicluster-engine/console-mce-rhel8@sha256:e220d630bf87607ae98a1543c9579db092eff39901949c21d587d1254590ccf7
multicluster-engine/discovery-rhel8@sha256:1a36981a2d5ea638d92adc0b53b17f50c5653fa37dc66422ada0f994eef8b709
multicluster-engine/hive-rhel8@sha256:1c45f0cbde2d40eb469a807779b4513ac0abe63a268d00062d2d33dbfe3b04e1
multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:d907d09b8a87763a583f54df1761f8a41b108daf45402afb05410ecea19d5385
multicluster-engine/hypershift-addon-rhel8-operator@sha256:d907d09b8a87763a583f54df1761f8a41b108daf45402afb05410ecea19d5385
multicluster-engine/hypershift-deployment-controller-rhel8@sha256:5a167128bbc94535effe999a5f36960a8997cb744cd9953017e1cb4d236a3b58
multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:5a167128bbc94535effe999a5f36960a8997cb744cd9953017e1cb4d236a3b58
multicluster-engine/hypershift-rhel8-operator@sha256:a11ba94a04f8fb65c02f2853e20c8594ddecd632b32211003bd50773c873d85c
multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:c4ce2348220e72d9dbd8b2f9d291510198b842e2639e6cf1661be17118a28350
multicluster-engine/managed-serviceaccount-rhel8@sha256:c4ce2348220e72d9dbd8b2f9d291510198b842e2639e6cf1661be17118a28350
multicluster-engine/managedcluster-import-controller-rhel8@sha256:99399b03783adf7252fb8dfab83b6ac66b95fb67abc0589c1dd417440d97be53
multicluster-engine/mce-operator-bundle@sha256:a8dbc4d5a97240b83f46cb853d98392bba85d997ea8962820163c5451ec8cb6d
multicluster-engine/multicloud-manager-rhel8@sha256:f0ce5107e29395864251989f1960ba562856916cfa82505d141309d56c07c900
multicluster-engine/must-gather-rhel8@sha256:8b9a7d2b6485abc40a3e8c62be3f95b1865b0989666ed096ca9c176bb45ae284
multicluster-engine/placement-rhel8@sha256:85f3789177e298f03b8f42cbe7630cc91c3e241820941f3b257689ecf19436a4
multicluster-engine/provider-credential-controller-rhel8@sha256:7f64e83c5a01da6bd379359b9d544c87fc9def414071611cf54ffdde7638aa87
multicluster-engine/registration-operator-rhel8@sha256:d518af604f29a6ed6b6766f2672cc3163c473b7b09e8e12ecd882e3adaace19a
multicluster-engine/registration-rhel8@sha256:1c7a9d8a890a1afc2137868e1283381c9946cf3048a4f134ecc6fa1760348230
multicluster-engine/work-rhel8@sha256:056c157949cb8e1ab3edc67a9f3a407f15cba76fee4c978c066217589e5abfed
x86_64
multicluster-engine/agent-service-rhel8@sha256:05b1610b89d996bd522b1f8d104e47bfb0aa8e4c491fba6d0d5a4ee0d8496162
multicluster-engine/apiserver-network-proxy-rhel8@sha256:a5bd11d18c51f2905e25a4bfaace6b2f3e79775baf88337df6980541e02fa8a5
multicluster-engine/assisted-image-service-rhel8@sha256:e37ad31c6844585a538240120c1ebbec2c904a4e30f3cefc3b108c2600ef2082
multicluster-engine/assisted-installer-agent-rhel8@sha256:e1381a1e94c27613598fba7b3fe13d84f136304f904df10f9ee823bb2e7029e1
multicluster-engine/assisted-installer-reporter-rhel8@sha256:3d6ef5a15a32b46107276459767efa3c23a9385ae2728a59c3008e04daaf3cb7
multicluster-engine/assisted-installer-rhel8@sha256:aa35f12f8b70bf053efe18b5b51cb6d7581be389777fe92303e616dff9bb02e4
multicluster-engine/aws-encryption-provider-rhel8@sha256:20065731f0961169ebdad7e26a8663e363828ba99adf01b3f0cb9967218d186b
multicluster-engine/backplane-rhel8-operator@sha256:64907ce362514f233076d2c92ee289cef2257ee0edb5aa05a4199d8eaaf6a71b
multicluster-engine/cluster-api-provider-agent-rhel8@sha256:4257ca357326c235ad2db81dcc48025da0c7be6d85e3e2c335c5263daae89129
multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:4257ca357326c235ad2db81dcc48025da0c7be6d85e3e2c335c5263daae89129
multicluster-engine/cluster-api-provider-aws-rhel8@sha256:6a715fb969dc6a41ab064a6c1135c081537939f41e22358d03719f4abc196577
multicluster-engine/cluster-api-provider-azure-rhel8@sha256:23ee7c38e836616856309d6aa49146ac8d63f7d84006ac888f3eb191097c6e7a
multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:13c17d3f963eb2d78df6dc19055c3b7742ba2d91122c660b38ec75750969e311
multicluster-engine/cluster-api-rhel8@sha256:1cea29eac7ad807b0cada9ec956c03ca9363ee35c2c140cc58ac2d029fd67cab
multicluster-engine/cluster-curator-controller-rhel8@sha256:7078b3c5900975daad2c247d03e0a68ac3905098d7eda184b876be0ea0d6782d
multicluster-engine/clusterclaims-controller-rhel8@sha256:de5f2fa20d64a678b28237a044efdbf33d735c6978ec5fe34a5f26b781a08ce6
multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:a5a38021486873feb197566bb849a518c3746445e08f0ef9a4b8e41d7c06ab1b
multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:74b8b724981a710bd89572845d496e8a57e7f3bca22b117f77d859d1135b6bb1
multicluster-engine/console-mce-rhel8@sha256:74b8b724981a710bd89572845d496e8a57e7f3bca22b117f77d859d1135b6bb1
multicluster-engine/discovery-rhel8@sha256:aebca12cf21ed0d687d0f41d0151b368a68712ff03e7c7ab298e11f6f383e998
multicluster-engine/hive-rhel8@sha256:fd69351efb60ec6df30f5051ed1de021af460bf680cfc4100a2c6ea7721d2be5
multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:e47dbe7c9a9822918165742b29c920ff17e8c5903425cf0cd79ae62835b3171a
multicluster-engine/hypershift-addon-rhel8-operator@sha256:e47dbe7c9a9822918165742b29c920ff17e8c5903425cf0cd79ae62835b3171a
multicluster-engine/hypershift-deployment-controller-rhel8@sha256:4fbfd4355be408e18268b928bcc81d9b6b5f4a1cc396449f445171f7e070edbc
multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:4fbfd4355be408e18268b928bcc81d9b6b5f4a1cc396449f445171f7e070edbc
multicluster-engine/hypershift-rhel8-operator@sha256:2463af39bf56e9041d02a1865734daa18659261a54293bfb3730b96e8042cb9a
multicluster-engine/klusterlet-operator-bundle@sha256:ffd98f69aae4f482aa9585c895ad70b8ce389bbdd68a94ad36862bd05c7c2fd7
multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:812142dae2d3a3d3327eff771e0fc3670741bcc2a9b2ac1059c29802b44e56c0
multicluster-engine/managed-serviceaccount-rhel8@sha256:812142dae2d3a3d3327eff771e0fc3670741bcc2a9b2ac1059c29802b44e56c0
multicluster-engine/managedcluster-import-controller-rhel8@sha256:8ca79a7021daa13d49cbce4acdd49bcd3ca52f4e85adfb2d0ac69faf1a8f4e4a
multicluster-engine/mce-operator-bundle@sha256:3577e1e31696904bc053f5eb4f8b392660e3f36b5cc8e4e9cec51ca71d25325c
multicluster-engine/multicloud-manager-rhel8@sha256:c983c991113c3907af876b0668f27abeec3abdcecd8a8134346c1bb6d122c37f
multicluster-engine/must-gather-rhel8@sha256:85ed67baef9f4d97a2f1124aada10ff5bdfd145fa7e7fee247e037ad4fd43074
multicluster-engine/placement-rhel8@sha256:655a79260f79afd7cc2dae850ab27c437d00758c594fb0c216dea711e0b5115c
multicluster-engine/provider-credential-controller-rhel8@sha256:c2dc502a1676ce862a0bc552c474998bdec6cd1aa152148f50a7577a77164aa2
multicluster-engine/registration-operator-rhel8@sha256:7633dfa29e9e6f2be2ec034942f1fd1682ab72cc986d8f82560a58c6ea87c3f8
multicluster-engine/registration-rhel8@sha256:4fbe8fb1cdf95d56b1af5606f3194571a7da750c034af8771bc0078bb40f16c2
multicluster-engine/work-rhel8@sha256:f276d84d70f6d192df406609a6bcde1bb824853e6300863c8bad3498259d9ea6
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 7070-1 - It was discovered that libarchive mishandled certain memory checks, which could result in a NULL pointer dereference. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that libarchive mishandled certain memory operations, which could result in an out-of-bounds memory access. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
Gentoo Linux Security Advisory 202309-14 - Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service. Versions greater than or equal to 3.7.1 are affected.
Red Hat Security Advisory 2023-4657-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.2. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4576-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.
The components for Red Hat OpenShift support for Windows Containers 6.0.1 are now available. This product release includes bug fixes and security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject...
Gatekeeper Operator v0.2 security fixes and enhancements Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
OpenShift sandboxed containers 1.4.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.9 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
The components for Red Hat OpenShift support for Windows Containers 7.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates...
OpenShift API for Data Protection (OADP) 1.1.5 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in H...
Red Hat Security Advisory 2023-3813-01 - An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.
Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.
Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.4 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties.
Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.
Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
Red Hat Security Advisory 2023-3379-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. This release of RHACS includes a fix for CVE-2023-24540 by building RHACS with updated Golang.
Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted inpu...
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...
An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...
Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. ### Impact A threat actor can edit options for `console.log`. ### Patches This vulnerability was patched in the release of version `3.9.18` of `vm2`. ### Workarounds After creating a vm make the `inspect` method readonly with `vm.readonly(inspect)`. ### References PoC - https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550 ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
Red Hat Security Advisory 2023-2948-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include an insecure handling vulnerability.
An update for libarchive is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36227: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.
An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...
An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41973: A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of th...
An update for bind9.16 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * CVE-2022-3094: A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large am...
A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. ### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.18` of `vm2`. ### Workarounds None. ### References PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.
An update for libarchive is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36227: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41973: A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of th...
An update for bind is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * CVE-2022-3094: A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large amount...
An update for dhcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...
An update for dhcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...
Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.
Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.
Debian Linux Security Advisory 5366-1 - The Qualys Research Labs reported an authorization bypass (CVE-2022-41974) and a symlink attack (CVE-2022-41973) in multipath-tools, a set of tools to drive the Device Mapper multipathing driver, which may result in local privilege escalation.
Red Hat Security Advisory 2023-0402-01 - An update for bind is now available for Red Hat Enterprise Linux 7.
An update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-25220: bind: DNS forwarders - cache poisoning vulnerability * CVE-2022-2795: bind: processing large delegations may severely degrade resolver performance
Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).
The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "
Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.
Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.
In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.
Ubuntu Security Notice 5731-1 - It was discovered that multipath-tools incorrectly handled symlinks. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that multipath-tools incorrectly handled access controls. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges.
The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.
multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
Ubuntu Security Notice 5658-1 - It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service.
Ubuntu Security Notice 5658-1 - It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service.
Ubuntu Security Notice 5626-2 - USN-5626-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service.
Ubuntu Security Notice 5626-1 - Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service. It was discovered that Bind incorrectly handled statistics requests. A remote attacker could possibly use this issue to obtain sensitive memory contents, or cause a denial of service. This issue only affected Ubuntu 22.04 LTS.