Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:3353: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.9 security fixes and container updates

Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem.
  • CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the sandbox. This vulnerability impacts the confidentiality, integrity, and availability of the system.
Red Hat Security Data
#vulnerability#red_hat#kubernetes#rce

Issued:

2023-05-30

Updated:

2023-05-30

RHSA-2023:3353 - Security Advisory

  • Overview
  • Updated Images

Synopsis

Critical: Multicluster Engine for Kubernetes 2.0.9 security fixes and container updates

Type/Severity

Security Advisory: Critical

Topic

Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

Description

Multicluster Engine for Kubernetes 2.0.9 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fix(es):

  • CVE-2023-32314 vm2: Sandbox Escape
  • CVE-2023-32313 vm2: Inspect Manipulation

Affected Products

  • multicluster engine for Kubernetes Text-only Advisories x86_64

Fixes

  • BZ - 2208376 - CVE-2023-32314 vm2: Sandbox Escape
  • BZ - 2208377 - CVE-2023-32313 vm2: Inspect Manipulation

CVEs

  • CVE-2022-2795
  • CVE-2022-2928
  • CVE-2022-2929
  • CVE-2022-36227
  • CVE-2022-41973
  • CVE-2023-27535
  • CVE-2023-32313
  • CVE-2023-32314

aarch64

multicluster-engine/agent-service-rhel8@sha256:2261e2b09a0268e1b3d3d724a19d28143ee79a8e8893eeaa245c2e1532f53c3c

multicluster-engine/apiserver-network-proxy-rhel8@sha256:48f0de02913516092b12c465cda8d28727f74761f959b01095e899d78a572b25

multicluster-engine/assisted-image-service-rhel8@sha256:62fcc5725fa25647bb7374ca5b4908c06a2f0d536dbd2c9857d79901b1962eeb

multicluster-engine/assisted-installer-agent-rhel8@sha256:c537b2fd79ff5677b481a991847e3d35ddf5344dd396a623fa4f5539a534dc6d

multicluster-engine/assisted-installer-reporter-rhel8@sha256:a06437ea0720649cf6dc3c51091784498984e91eb2cb40f3e421b81e5b430e1f

multicluster-engine/assisted-installer-rhel8@sha256:14545b7457624f21e89399946d6076ecd7f273b1f28e4753a3419aac785030b2

multicluster-engine/aws-encryption-provider-rhel8@sha256:a8eedeec3b46539001c366c9708377d987b94b96ae9844915ac1d7cd3fdac324

multicluster-engine/backplane-rhel8-operator@sha256:f43d72e6b78fe1ed5e85c250c274bdf9e7d1c2777b2a4d17831cc5a9b4b72241

multicluster-engine/cluster-api-provider-agent-rhel8@sha256:fd29d4478cc068da976e0b8d84f7fc069a19203bb06478c6cffe1b944da997b1

multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:fd29d4478cc068da976e0b8d84f7fc069a19203bb06478c6cffe1b944da997b1

multicluster-engine/cluster-api-provider-aws-rhel8@sha256:2c671b1a0c7cd823ee4a5a02829a76844c59bb4478b878bf15b767b08723ec8e

multicluster-engine/cluster-api-provider-azure-rhel8@sha256:f2007f1331b5bb946d1dcdcd1580ba2c8357876e406db8949f977aefd6b94e9c

multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:96b096df7a07a5a6a60816a4f16d0e12ea6fcdb10ac6263892c70b14d90e2d4c

multicluster-engine/cluster-api-rhel8@sha256:e8c7d436fc5efe507addf3d6394436d96656f57acb331c88a80d4588fc1c7663

multicluster-engine/cluster-curator-controller-rhel8@sha256:200d6ae3489e8560a72fb058eb17ca20a0f9aa6762784d24b6420558bb5c3dd5

multicluster-engine/clusterclaims-controller-rhel8@sha256:f4ada6be9752314e85a6e5cac9c58462eabf6ce5a2bda9e653edbcaf351cfdfb

multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:f039c93a70de032c496700dca31efd46052a5870224dac8adce8ed4e316b7ac9

multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:8509fd51a9f77f22bd9c12f31faf878ebe50866de3a2d65c7c1326328b557b7b

multicluster-engine/console-mce-rhel8@sha256:8509fd51a9f77f22bd9c12f31faf878ebe50866de3a2d65c7c1326328b557b7b

multicluster-engine/discovery-rhel8@sha256:66c99cdd8fbba62f9fc697db26da62bfa2a77cd2d5c7e08ba723fc39b450fb84

multicluster-engine/hive-rhel8@sha256:65fd935c66e42e8804e4e8700e67da91c9eda759d3539ef9ace47e12d8113703

multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:2c994cd5177e188800131808487583c88f62d598eb0704d6c8e3b0833aa40d48

multicluster-engine/hypershift-addon-rhel8-operator@sha256:2c994cd5177e188800131808487583c88f62d598eb0704d6c8e3b0833aa40d48

multicluster-engine/hypershift-deployment-controller-rhel8@sha256:4f88b08241302c02b3d9fcf773df518d00806e559e11f895b384ac3e534caece

multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:4f88b08241302c02b3d9fcf773df518d00806e559e11f895b384ac3e534caece

multicluster-engine/hypershift-rhel8-operator@sha256:341a8086d502ea4f1706817568472191a0844821eb1c9293a8dd9a5c90e82ba4

multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:f6c56bdaaaab11e1cc96cc788f490cc5cbaed305cdcc12fd29ade4e4bc61ec4d

multicluster-engine/managed-serviceaccount-rhel8@sha256:f6c56bdaaaab11e1cc96cc788f490cc5cbaed305cdcc12fd29ade4e4bc61ec4d

multicluster-engine/managedcluster-import-controller-rhel8@sha256:ab6f18d90ecc526fd657bbee0560fe34d0211cf59239056bbedece4f60234469

multicluster-engine/multicloud-manager-rhel8@sha256:54b68103fc74392147401e2a3fbe31b34e68b94119c466194f92616224a7aa21

multicluster-engine/must-gather-rhel8@sha256:a473b7ad9b73a9c4ed1a6249e1b840d8a7a3929663a42618853a9aa57eb51d6e

multicluster-engine/placement-rhel8@sha256:9036eb8f9bbcabb9127209e76857587ae00b1bd4abb279f8085f4ddb7fdb670f

multicluster-engine/provider-credential-controller-rhel8@sha256:14ddd3ed3d97510465834c5d387db929feee45f30f92a14f5988a5e1963f4db1

multicluster-engine/registration-operator-rhel8@sha256:0785de4c1f1422db8f2b22069ceaba204648dd8841e6e5407eef637ee9f1f101

multicluster-engine/registration-rhel8@sha256:0997ee6fece67968c91bba29c7dd88103cb75be35a593b5bca8af15231d8c641

multicluster-engine/work-rhel8@sha256:5eef116355fbfbc673b01543b7ba93ce51e5d7d71a64c112e7c440b7158f7139

ppc64le

multicluster-engine/agent-service-rhel8@sha256:4869e1fdf190ded10ef17c5ccb3b23e9375ed1244b3a48b33973c995e32ed99f

multicluster-engine/apiserver-network-proxy-rhel8@sha256:107788f4cd27d06024bf435313120ad20981f355fa11248422e6b1f28745211f

multicluster-engine/assisted-image-service-rhel8@sha256:3ec237de23aae0bad9f31a4c5e2621894f49ca3e7b2fa39df77967de4a717f7b

multicluster-engine/assisted-installer-reporter-rhel8@sha256:268062607d1e65e35fc95d3a27bb2575529dcca2d76a315dc562caaffede7eb0

multicluster-engine/assisted-installer-rhel8@sha256:c4bdeebc5e84338418be4556fb6c03972ce897484b07693a294a955bb83366b3

multicluster-engine/aws-encryption-provider-rhel8@sha256:2c39fc81402298d6ef1677970de3c3c44cf854104e0abf10d77c94e5a2261bbf

multicluster-engine/backplane-rhel8-operator@sha256:ae2b7eb41d40f1da1e9dbe2e6b048a51d9fdc12a7a855ae107018edede1b2841

multicluster-engine/cluster-api-provider-agent-rhel8@sha256:800b8bbe275b1b3cf7b7e437db0966b7b442a2bd00cba9f52700c7dd93974816

multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:800b8bbe275b1b3cf7b7e437db0966b7b442a2bd00cba9f52700c7dd93974816

multicluster-engine/cluster-api-provider-aws-rhel8@sha256:511b15228a3f185364d6a5b7bf2754f12ab1d64a3606b66409e923d992180a39

multicluster-engine/cluster-api-provider-azure-rhel8@sha256:c68df5edea5336baa36d8a5da7a984ba022aaec325f88106c2ad091cdf2e778a

multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:da116ea9cd01b75639112f1bbc6f2dd14f6a86e5e1b13a74761d198b0c8f9601

multicluster-engine/cluster-api-rhel8@sha256:6ab5eb72040053b3ed1ac22ad0b571f914468d324f48518a995a908685c84009

multicluster-engine/cluster-curator-controller-rhel8@sha256:448dfa626168fd2131533f646d236ee300ba8686cb071c08fa600ff99dd9fefd

multicluster-engine/clusterclaims-controller-rhel8@sha256:d2880c6928f9ca7e973215bdb59a8f1cb2a8aa9b1328f3dedfd196571070ca9b

multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:ea62621af6a433d479d1d7ee6afec8e698137530b78e6cac38876f600a19544b

multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:d455377cdb0adcc45f3ba62e1d890f6dec4bb9aae609397d93003efbf0d9c918

multicluster-engine/console-mce-rhel8@sha256:d455377cdb0adcc45f3ba62e1d890f6dec4bb9aae609397d93003efbf0d9c918

multicluster-engine/discovery-rhel8@sha256:3e40cfe0a355afcd75d6bb29e5ae29fc7c429ff62cdfbaa81b8e1fe5d4f53d7d

multicluster-engine/hive-rhel8@sha256:eb977a2dc747e00ef7bb783a32634c66da9fdc2e5ad66b4883fbb523b2a10d50

multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:4f5de3ffb168b08a0aa2cd65db4e001ed91e3b7ffee902bb634240f384568bf2

multicluster-engine/hypershift-addon-rhel8-operator@sha256:4f5de3ffb168b08a0aa2cd65db4e001ed91e3b7ffee902bb634240f384568bf2

multicluster-engine/hypershift-deployment-controller-rhel8@sha256:eab152eb08bb1d551989aa4ee2af8466a99518d35404c655487350feb2a9cc1a

multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:eab152eb08bb1d551989aa4ee2af8466a99518d35404c655487350feb2a9cc1a

multicluster-engine/hypershift-rhel8-operator@sha256:df5aa088d777554625b053733f60932695feb42cff9d2f73c059321a0a15dbea

multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:c6dee29e81d00383d63ec400ed905392b68f6b4f97e586cccbceadb20e1a6275

multicluster-engine/managed-serviceaccount-rhel8@sha256:c6dee29e81d00383d63ec400ed905392b68f6b4f97e586cccbceadb20e1a6275

multicluster-engine/managedcluster-import-controller-rhel8@sha256:5d4f9ee145f7a0f9c1971ab973c8e88ac893634d69741bc3a0c4595708760146

multicluster-engine/mce-operator-bundle@sha256:1e2b763fe6cb9321342fe3e0c1027a4353e746bfcece4b8f30cafe2cc209cbd3

multicluster-engine/multicloud-manager-rhel8@sha256:9abc3c64661ee1bd1af6600ca5e724ae9b0f8b2677ddd3edef9ac052b2541e73

multicluster-engine/must-gather-rhel8@sha256:d52570d7d90f8803ee9719bd90b56dbab61ea28d56e2b0034a2f5300eca99084

multicluster-engine/placement-rhel8@sha256:8c69cb0618b8d004214568923713abed56bed4019583cfe4a8af8407cda81d69

multicluster-engine/provider-credential-controller-rhel8@sha256:e55c635c45477301c952905721f02475c1c3a48b8c9b800ef4f4115f78199d9d

multicluster-engine/registration-operator-rhel8@sha256:98bac92d71c2f2fed9e98cf5a35ebac27ac165b357bdef3046924d24a9f19d8e

multicluster-engine/registration-rhel8@sha256:0496bfe34c5f3b5de165ff123dae2a60fa5f84d35af062df4eeeeca300746c29

multicluster-engine/work-rhel8@sha256:ebccb0a5ab1c0fc3153cd2249a07ff25faefdc8dc2ca20be992cd742ae636e4d

s390x

multicluster-engine/agent-service-rhel8@sha256:a3cb7366d847c3d7aefe52fc71021edf8e0f7eb930b322533812a2c4ac259006

multicluster-engine/apiserver-network-proxy-rhel8@sha256:cf1c0daf3a4ef32d2092d1ef0c1293404f026021f95af440c3b5c767e21d25a3

multicluster-engine/assisted-image-service-rhel8@sha256:bcd067a43bad5fee6eef49cf0717be95f875021fa1aff98ac5957e15e6159a02

multicluster-engine/aws-encryption-provider-rhel8@sha256:07ad9b5e43e2dd90755d9e41068b50fbc2159313cd229e51c3494c76d90b7cd3

multicluster-engine/backplane-rhel8-operator@sha256:eeaf91f260a21113a0289f62e5c20da6c069896ed1f06f5a6a631b4437880c47

multicluster-engine/cluster-api-provider-agent-rhel8@sha256:344806a130660942441e1e309f81b6475eeb897d7dd5e4eff783109c9b61a29f

multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:344806a130660942441e1e309f81b6475eeb897d7dd5e4eff783109c9b61a29f

multicluster-engine/cluster-api-provider-aws-rhel8@sha256:f0f0d050b27ec861a36b4f2c2885a6d5347b73e244c3b85309e4fa5732922b64

multicluster-engine/cluster-api-provider-azure-rhel8@sha256:7994cef63c713739bcb8b32377f4aee805bd44d0d8ff4c7131a66e8b3ead8a4b

multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:97aa06d48c4f5b74ac1b79d6b0ede53d2b7c23b43cde40d2bc89730ae462048a

multicluster-engine/cluster-api-rhel8@sha256:12a6d0dd6d8d5aba3efffff25cf859363e1dbf6b5c3e72787cd60eacf7355fec

multicluster-engine/cluster-curator-controller-rhel8@sha256:a7f341df16af4191acb081522e21bf15ef081d0e440ca84b400ea027196cc024

multicluster-engine/clusterclaims-controller-rhel8@sha256:13a90afcd193c84b67d2432946a9c74df45c3016756a3ad3d051fa01783b0e0d

multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:84a1c9a3fbc70d401c6d0574e3b4058520e826515de4a9d1226a151139839d59

multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:e220d630bf87607ae98a1543c9579db092eff39901949c21d587d1254590ccf7

multicluster-engine/console-mce-rhel8@sha256:e220d630bf87607ae98a1543c9579db092eff39901949c21d587d1254590ccf7

multicluster-engine/discovery-rhel8@sha256:1a36981a2d5ea638d92adc0b53b17f50c5653fa37dc66422ada0f994eef8b709

multicluster-engine/hive-rhel8@sha256:1c45f0cbde2d40eb469a807779b4513ac0abe63a268d00062d2d33dbfe3b04e1

multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:d907d09b8a87763a583f54df1761f8a41b108daf45402afb05410ecea19d5385

multicluster-engine/hypershift-addon-rhel8-operator@sha256:d907d09b8a87763a583f54df1761f8a41b108daf45402afb05410ecea19d5385

multicluster-engine/hypershift-deployment-controller-rhel8@sha256:5a167128bbc94535effe999a5f36960a8997cb744cd9953017e1cb4d236a3b58

multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:5a167128bbc94535effe999a5f36960a8997cb744cd9953017e1cb4d236a3b58

multicluster-engine/hypershift-rhel8-operator@sha256:a11ba94a04f8fb65c02f2853e20c8594ddecd632b32211003bd50773c873d85c

multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:c4ce2348220e72d9dbd8b2f9d291510198b842e2639e6cf1661be17118a28350

multicluster-engine/managed-serviceaccount-rhel8@sha256:c4ce2348220e72d9dbd8b2f9d291510198b842e2639e6cf1661be17118a28350

multicluster-engine/managedcluster-import-controller-rhel8@sha256:99399b03783adf7252fb8dfab83b6ac66b95fb67abc0589c1dd417440d97be53

multicluster-engine/mce-operator-bundle@sha256:a8dbc4d5a97240b83f46cb853d98392bba85d997ea8962820163c5451ec8cb6d

multicluster-engine/multicloud-manager-rhel8@sha256:f0ce5107e29395864251989f1960ba562856916cfa82505d141309d56c07c900

multicluster-engine/must-gather-rhel8@sha256:8b9a7d2b6485abc40a3e8c62be3f95b1865b0989666ed096ca9c176bb45ae284

multicluster-engine/placement-rhel8@sha256:85f3789177e298f03b8f42cbe7630cc91c3e241820941f3b257689ecf19436a4

multicluster-engine/provider-credential-controller-rhel8@sha256:7f64e83c5a01da6bd379359b9d544c87fc9def414071611cf54ffdde7638aa87

multicluster-engine/registration-operator-rhel8@sha256:d518af604f29a6ed6b6766f2672cc3163c473b7b09e8e12ecd882e3adaace19a

multicluster-engine/registration-rhel8@sha256:1c7a9d8a890a1afc2137868e1283381c9946cf3048a4f134ecc6fa1760348230

multicluster-engine/work-rhel8@sha256:056c157949cb8e1ab3edc67a9f3a407f15cba76fee4c978c066217589e5abfed

x86_64

multicluster-engine/agent-service-rhel8@sha256:05b1610b89d996bd522b1f8d104e47bfb0aa8e4c491fba6d0d5a4ee0d8496162

multicluster-engine/apiserver-network-proxy-rhel8@sha256:a5bd11d18c51f2905e25a4bfaace6b2f3e79775baf88337df6980541e02fa8a5

multicluster-engine/assisted-image-service-rhel8@sha256:e37ad31c6844585a538240120c1ebbec2c904a4e30f3cefc3b108c2600ef2082

multicluster-engine/assisted-installer-agent-rhel8@sha256:e1381a1e94c27613598fba7b3fe13d84f136304f904df10f9ee823bb2e7029e1

multicluster-engine/assisted-installer-reporter-rhel8@sha256:3d6ef5a15a32b46107276459767efa3c23a9385ae2728a59c3008e04daaf3cb7

multicluster-engine/assisted-installer-rhel8@sha256:aa35f12f8b70bf053efe18b5b51cb6d7581be389777fe92303e616dff9bb02e4

multicluster-engine/aws-encryption-provider-rhel8@sha256:20065731f0961169ebdad7e26a8663e363828ba99adf01b3f0cb9967218d186b

multicluster-engine/backplane-rhel8-operator@sha256:64907ce362514f233076d2c92ee289cef2257ee0edb5aa05a4199d8eaaf6a71b

multicluster-engine/cluster-api-provider-agent-rhel8@sha256:4257ca357326c235ad2db81dcc48025da0c7be6d85e3e2c335c5263daae89129

multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:4257ca357326c235ad2db81dcc48025da0c7be6d85e3e2c335c5263daae89129

multicluster-engine/cluster-api-provider-aws-rhel8@sha256:6a715fb969dc6a41ab064a6c1135c081537939f41e22358d03719f4abc196577

multicluster-engine/cluster-api-provider-azure-rhel8@sha256:23ee7c38e836616856309d6aa49146ac8d63f7d84006ac888f3eb191097c6e7a

multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:13c17d3f963eb2d78df6dc19055c3b7742ba2d91122c660b38ec75750969e311

multicluster-engine/cluster-api-rhel8@sha256:1cea29eac7ad807b0cada9ec956c03ca9363ee35c2c140cc58ac2d029fd67cab

multicluster-engine/cluster-curator-controller-rhel8@sha256:7078b3c5900975daad2c247d03e0a68ac3905098d7eda184b876be0ea0d6782d

multicluster-engine/clusterclaims-controller-rhel8@sha256:de5f2fa20d64a678b28237a044efdbf33d735c6978ec5fe34a5f26b781a08ce6

multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:a5a38021486873feb197566bb849a518c3746445e08f0ef9a4b8e41d7c06ab1b

multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:74b8b724981a710bd89572845d496e8a57e7f3bca22b117f77d859d1135b6bb1

multicluster-engine/console-mce-rhel8@sha256:74b8b724981a710bd89572845d496e8a57e7f3bca22b117f77d859d1135b6bb1

multicluster-engine/discovery-rhel8@sha256:aebca12cf21ed0d687d0f41d0151b368a68712ff03e7c7ab298e11f6f383e998

multicluster-engine/hive-rhel8@sha256:fd69351efb60ec6df30f5051ed1de021af460bf680cfc4100a2c6ea7721d2be5

multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:e47dbe7c9a9822918165742b29c920ff17e8c5903425cf0cd79ae62835b3171a

multicluster-engine/hypershift-addon-rhel8-operator@sha256:e47dbe7c9a9822918165742b29c920ff17e8c5903425cf0cd79ae62835b3171a

multicluster-engine/hypershift-deployment-controller-rhel8@sha256:4fbfd4355be408e18268b928bcc81d9b6b5f4a1cc396449f445171f7e070edbc

multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:4fbfd4355be408e18268b928bcc81d9b6b5f4a1cc396449f445171f7e070edbc

multicluster-engine/hypershift-rhel8-operator@sha256:2463af39bf56e9041d02a1865734daa18659261a54293bfb3730b96e8042cb9a

multicluster-engine/klusterlet-operator-bundle@sha256:ffd98f69aae4f482aa9585c895ad70b8ce389bbdd68a94ad36862bd05c7c2fd7

multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:812142dae2d3a3d3327eff771e0fc3670741bcc2a9b2ac1059c29802b44e56c0

multicluster-engine/managed-serviceaccount-rhel8@sha256:812142dae2d3a3d3327eff771e0fc3670741bcc2a9b2ac1059c29802b44e56c0

multicluster-engine/managedcluster-import-controller-rhel8@sha256:8ca79a7021daa13d49cbce4acdd49bcd3ca52f4e85adfb2d0ac69faf1a8f4e4a

multicluster-engine/mce-operator-bundle@sha256:3577e1e31696904bc053f5eb4f8b392660e3f36b5cc8e4e9cec51ca71d25325c

multicluster-engine/multicloud-manager-rhel8@sha256:c983c991113c3907af876b0668f27abeec3abdcecd8a8134346c1bb6d122c37f

multicluster-engine/must-gather-rhel8@sha256:85ed67baef9f4d97a2f1124aada10ff5bdfd145fa7e7fee247e037ad4fd43074

multicluster-engine/placement-rhel8@sha256:655a79260f79afd7cc2dae850ab27c437d00758c594fb0c216dea711e0b5115c

multicluster-engine/provider-credential-controller-rhel8@sha256:c2dc502a1676ce862a0bc552c474998bdec6cd1aa152148f50a7577a77164aa2

multicluster-engine/registration-operator-rhel8@sha256:7633dfa29e9e6f2be2ec034942f1fd1682ab72cc986d8f82560a58c6ea87c3f8

multicluster-engine/registration-rhel8@sha256:4fbe8fb1cdf95d56b1af5606f3194571a7da750c034af8771bc0078bb40f16c2

multicluster-engine/work-rhel8@sha256:f276d84d70f6d192df406609a6bcde1bb824853e6300863c8bad3498259d9ea6

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Ubuntu Security Notice USN-7070-1

Ubuntu Security Notice 7070-1 - It was discovered that libarchive mishandled certain memory checks, which could result in a NULL pointer dereference. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that libarchive mishandled certain memory operations, which could result in an out-of-bounds memory access. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.

Gentoo Linux Security Advisory 202309-14

Gentoo Linux Security Advisory 202309-14 - Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service. Versions greater than or equal to 3.7.1 are affected.

Red Hat Security Advisory 2023-4657-01

Red Hat Security Advisory 2023-4657-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.2. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-4576-01

Red Hat Security Advisory 2023-4576-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.

RHSA-2023:4488: Red Hat Security Advisory: Red Hat OpenShift support for Windows Containers 6.0.1[security update]

The components for Red Hat OpenShift support for Windows Containers 6.0.1 are now available. This product release includes bug fixes and security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject...

RHSA-2023:4475: Red Hat Security Advisory: Gatekeeper Operator v0.2 security fixes and enhancements

Gatekeeper Operator v0.2 security fixes and enhancements Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

RHSA-2023:4290: Red Hat Security Advisory: OpenShift sandboxed containers 1.4.1 security update

OpenShift sandboxed containers 1.4.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

RHSA-2023:4238: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.11.9 security and bug fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.9 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

RHSA-2023:4025: Red Hat Security Advisory: Red Hat OpenShift support for Windows Containers 7.1.0 [security update]

The components for Red Hat OpenShift support for Windows Containers 7.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates...

RHSA-2023:3918: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.5 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.5 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in H...

Red Hat Security Advisory 2023-3813-01

Red Hat Security Advisory 2023-3813-01 - An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8.

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

Red Hat Security Advisory 2023-3664-01

Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.

Red Hat Security Advisory 2023-3644-01

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-3645-01

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3624-01

Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3609-01

Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

RHSA-2023:3644: Red Hat Security Advisory: Red Hat OpenShift Service Mesh Containers for 2.4.0

Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

RHSA-2023:3624: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.10 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...

RHSA-2023:3609: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.4 security and Bug Fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.4 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties.

Red Hat Security Advisory 2023-3495-01

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

RHSA-2023:3495: Red Hat Security Advisory: Logging Subsystem 5.7.2 - Red Hat OpenShift security update

Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...

RHSA-2023:3455: Red Hat Security Advisory: Release of OpenShift Serverless 1.29.0

OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...

Red Hat Security Advisory 2023-3379-01

Red Hat Security Advisory 2023-3379-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. This release of RHACS includes a fix for CVE-2023-24540 by building RHACS with updated Golang.

Red Hat Security Advisory 2023-3356-01

Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

RHSA-2023:3435: Red Hat Security Advisory: Red Hat Advanced Cluster Security 3.74 for Kubernetes security update

An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted inpu...

CVE-2023-28043: DSA-2023-164: Dell Secure Connect Gateway Security Update for Multiple Vulnerabilities

Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.

RHSA-2023:3373: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...

RHSA-2023:3373: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...

RHSA-2023:3379: Red Hat Security Advisory: Red Hat Advanced Cluster Security for Kubernetes 3.73 security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...

RHSA-2023:3379: Red Hat Security Advisory: Red Hat Advanced Cluster Security for Kubernetes 3.73 security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...

Red Hat Security Advisory 2023-3326-01

Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3326-01

Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

RHSA-2023:3325: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates

Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...

RHSA-2023:3325: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates

Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...

RHSA-2023:3325: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates

Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...

RHSA-2023:3325: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates

Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

RHSA-2023:3297: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.4 security fixes and container updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...

RHSA-2023:3297: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.4 security fixes and container updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

CVE-2023-23694: DSA-2023-071: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities – 7.0.450

Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

GHSA-p5gc-c584-jj6v: vm2 vulnerable to Inspect Manipulation

In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. ### Impact A threat actor can edit options for `console.log`. ### Patches This vulnerability was patched in the release of version `3.9.18` of `vm2`. ### Workarounds After creating a vm make the `inspect` method readonly with `vm.readonly(inspect)`. ### References PoC - https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550 ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.

Red Hat Security Advisory 2023-2948-01

Red Hat Security Advisory 2023-2948-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include an insecure handling vulnerability.

RHSA-2023:3018: Red Hat Security Advisory: libarchive security update

An update for libarchive is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36227: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.

RHSA-2023:3000: Red Hat Security Advisory: dhcp security and bug fix update

An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...

RHSA-2023:3000: Red Hat Security Advisory: dhcp security and bug fix update

An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...

RHSA-2023:2948: Red Hat Security Advisory: device-mapper-multipath security and bug fix update

An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41973: A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of th...

RHSA-2023:2792: Red Hat Security Advisory: bind9.16 security and bug fix update

An update for bind9.16 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * CVE-2022-3094: A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large am...

GHSA-whpj-8f3w-67p5: vm2 Sandbox Escape vulnerability

A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. ### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.18` of `vm2`. ### Workarounds None. ### References PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.

CVE-2023-32313: Inspect method should be readonly · patriksimek/vm2@5206ba2

vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.

CVE-2023-32314: Sandbox Escape in [email protected]

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Red Hat Security Advisory 2023-2502-01

Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2023-2502-01

Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.

RHSA-2023:2532: Red Hat Security Advisory: libarchive security update

An update for libarchive is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36227: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.

RHSA-2023:2459: Red Hat Security Advisory: device-mapper-multipath security and bug fix update

An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41973: A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of th...

RHSA-2023:2261: Red Hat Security Advisory: bind security and bug fix update

An update for bind is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * CVE-2022-3094: A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large amount...

RHSA-2023:2502: Red Hat Security Advisory: dhcp security and enhancement update

An update for dhcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...

RHSA-2023:2502: Red Hat Security Advisory: dhcp security and enhancement update

An update for dhcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...

Gentoo Linux Security Advisory 202305-22

Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.

Gentoo Linux Security Advisory 202305-22

Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.

CVE-2023-27535

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Ubuntu Security Notice USN-5964-1

Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.

Debian Security Advisory 5366-1

Debian Linux Security Advisory 5366-1 - The Qualys Research Labs reported an authorization bypass (CVE-2022-41974) and a symlink attack (CVE-2022-41973) in multipath-tools, a set of tools to drive the Device Mapper multipathing driver, which may result in local privilege escalation.

Red Hat Security Advisory 2023-0402-01

Red Hat Security Advisory 2023-0402-01 - An update for bind is now available for Red Hat Enterprise Linux 7.

RHSA-2023:0402: Red Hat Security Advisory: bind security update

An update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-25220: bind: DNS forwarders - cache poisoning vulnerability * CVE-2022-2795: bind: processing large delegations may severely degrade resolver performance

snap-confine must_mkdir_and_open_with_perms() Race Condition

Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).

Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems

The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "

Ubuntu Security Notice USN-5658-3

Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.

Ubuntu Security Notice USN-5658-3

Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.

CVE-2022-36227: There is a NULL pointer dereference vulnerability · Issue #1754 · libarchive/libarchive

In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.

Ubuntu Security Notice USN-5731-1

Ubuntu Security Notice 5731-1 - It was discovered that multipath-tools incorrectly handled symlinks. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that multipath-tools incorrectly handled access controls. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges.

Leeloo Multipath Authorization Bypass / Symlink Attack

The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.

CVE-2022-41973: Release 0.9.2: Merge pull request #46 from openSUSE/queue · opensvc/multipath-tools

multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.

CVE-2022-2929: CVE-2022-2929 DHCP memory leak

In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.

CVE-2022-2928: CVE-2022-2928 An option refcount overflow exists in dhcpd

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

Ubuntu Security Notice USN-5658-1

Ubuntu Security Notice 5658-1 - It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service.

Ubuntu Security Notice USN-5658-1

Ubuntu Security Notice 5658-1 - It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service.

Ubuntu Security Notice USN-5626-2

Ubuntu Security Notice 5626-2 - USN-5626-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service.

Ubuntu Security Notice USN-5626-1

Ubuntu Security Notice 5626-1 - Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service. It was discovered that Bind incorrectly handled statistics requests. A remote attacker could possibly use this issue to obtain sensitive memory contents, or cause a denial of service. This issue only affected Ubuntu 22.04 LTS.