Headline
RHSA-2023:3537: Red Hat Security Advisory: OpenShift Container Platform 4.13.3 bug fix and security update
Red Hat OpenShift Container Platform release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
- CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information or gain the ability to execute code in that container.
- CVE-2023-26054: A flaw was found in the moby buildkit. When a build is performed under specific conditions where credentials were passed to BuildKit, it may be visible to everyone with access to provenance attestation.
Synopsis
Moderate: OpenShift Container Platform 4.13.3 bug fix and security update
Type/Severity
Security Advisory: Moderate
Topic
Red Hat OpenShift Container Platform release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.13.
Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.3. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2023:3536
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html Security Fix(es):
- net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
- containerd: Supplementary groups are not set up properly (CVE-2023-25173)
- buildkit: Data disclosure in provenance attestation describing a build (CVE-2023-26054)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html
Solution
For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html
You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests
may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags
The sha values for the release are:
(For x86_64 architecture)
The image digest is sha256:bc9835804046aa844c874d2cc37387ec95fe7e87d8ce96129fba78d465c932fa
(For s390x architecture)
The image digest is sha256:c26d48b04d8864fc20145204b543957824d1d86696c82efdd9738d096796326d
(For ppc64le architecture)
The image digest is sha256:2bf60fe7b0c72a301aa26544e3faabb61fe750e449ee130ee6945b588a727e67
(For aarch64 architecture)
The image digest is sha256:f61d496a3b69582f0f1c54da973a58241b3e6001d8d1a696368d604b9ae774f2
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.13 for RHEL 9 x86_64
- Red Hat OpenShift Container Platform 4.13 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.13 for RHEL 9 ppc64le
- Red Hat OpenShift Container Platform for Power 4.13 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 9 s390x
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 9 aarch64
- Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 8 aarch64
Fixes
- BZ - 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
- BZ - 2176447 - CVE-2023-26054 buildkit: Data disclosure in provenance attestation describing a build
- BZ - 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
- OCPBUGS-10527 - When there are 2 pipelines displayed in the dropdown menu, selecting one, unchecks the Add Pipeline checkbox
- OCPBUGS-11530 - GCP usage api response include other projects and can causes negative quota calculation
- OCPBUGS-11851 - [4.13] nto: makefile: fix render-sync make target
- OCPBUGS-12918 - [GWAPI] OSSM 2.4 spec.techPreview.controlPlaneMode field not supported anymore
- OCPBUGS-13011 - Azure cloud node manager stopped applying beta topology labels
- OCPBUGS-13168 - Invalid CA certificate bundle provided by service account token
- OCPBUGS-13399 - Error logs related to NTO Service during HostedCluster creation
- OCPBUGS-13727 - Invalid docker ref parsing when tag and sha are both provided
- OCPBUGS-13735 - Cluster-api SA can’t create events
- OCPBUGS-13749 - NTO does not include PerformanceProfiles in oc adm must-gather
- OCPBUGS-13765 - IPI baremetal install root device hints should accept by-path device alias
- OCPBUGS-13811 - Volume unmount repeats after successful unmount, preventing pod delete
- OCPBUGS-13964 - mtls CRL not working when using an intermediate CA
- OCPBUGS-13967 - CRL configmap is limited by 1MB max, not allowing for multiple public CRLS.
- OCPBUGS-14000 - Package openvswitch2.17 conflicts with openvswitch2.15 during the 4.12 to 4.13 upgrade of RHEL worker
- OCPBUGS-14085 - Log vcenter version in raw string format in problem-detector
- OCPBUGS-14098 - The vsphere-problem-detector-operator panics if vsphere Infrastructure field is empty
- OCPBUGS-14135 - SCOS times out during provisioning of BM nodes
- OCPBUGS-14165 - Labels added in the Git import flow are not propagated to the pipeline resources
- OCPBUGS-14171 - gracefully fail when iam:GetRole is denied
- OCPBUGS-14173 - [4.13] Fast track BZ#2196441 (Network Manager)
- OCPBUGS-14195 - Topology UI doesn’t recognize Serverless Rust function for proper UI icon
- OCPBUGS-14249 - oc does not preserve a speficic release image provided with --to-image=’’
- OCPBUGS-14258 - Adjust vSphere connection plugin to OCP 4.13 - backport
- OCPBUGS-14315 - IPv6 interface and address missing in all pods - OCP 4.12-ec-2 BM IPI
- OCPBUGS-14438 - 4.13.z: [Clone of OCPBugs-8287]SNO 4.10: Power cycle node and MAC address of NIC not available when VDU application starts on Intel E810-C Nic
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html
aarch64
openshift4/driver-toolkit-rhel9@sha256:393604d959c1d7a501abfa8890594ce92ae2938741c48767d4b866fb49bdc481
openshift4/network-tools-rhel8@sha256:1466ac0808b3ad037567bbcb05e370409d8336d781d1e4573a09437512f93134
openshift4/openshift-route-controller-manager-rhel8@sha256:e93e8a927684a6b7fc90e7d304e638026605caf43a5326877ebc6e69a42759ba
openshift4/ose-agent-installer-api-server-rhel8@sha256:b568e17e33b8ff0ff1b5dbd57302a119067dbba931a4e5481660c2e8e2f2bbcc
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:1ca67a5fc95fc154745c6acdfdd872849478a4d9950fb53ae9f175f27d39dd88
openshift4/ose-aws-ebs-csi-driver-rhel8@sha256:bbfd94fb7766e74d140cf7484de0c66dd3f8247a46f902fc41169869c0b71efb
openshift4/ose-aws-pod-identity-webhook-rhel8@sha256:365de8f47bd3e79faaed6e60321ad4d329135a848b11419a9474b1feee31646d
openshift4/ose-azure-cloud-controller-manager-rhel8@sha256:d37dc03f52323590058530cb4355ccc82c1dc68397532c8258f8a574b8684594
openshift4/ose-azure-cloud-node-manager-rhel8@sha256:b18f5945f44d64fd45b9a15068cfb3bbd3e1cbc7fb87753ff3a8c44788970696
openshift4/ose-baremetal-installer-rhel8@sha256:4cf654f22c11fcdf403cdfc743bd90f60cde46fa62452632fabbf79e4024205b
openshift4/ose-cli@sha256:735f70c9a041a4a960723c847debee91b3ca95050f00d651c723f4c37f4666af
openshift4/ose-cli-artifacts@sha256:10b07967e2c7afe0b7ae255ea0e41a6a3f8063b923297a4313e844c4804e7833
openshift4/ose-cloud-credential-operator@sha256:5965910ef7ac0c75ca4db8c1f044c7f92c56632ac205fe223729d978a72b857d
openshift4/ose-cluster-cloud-controller-manager-operator-rhel8@sha256:0e890cc69c898ddb787fe68140539e698700fd9a35662749a35ec4fdcd754fe9
openshift4/ose-cluster-ingress-operator@sha256:58d56005f83b1ec960347aeec6c93d1cefc9d4c54a9b144e20b8ed15cd4ef4ee
openshift4/ose-cluster-monitoring-operator@sha256:0faec75702f7027bfcd42f31dc622d79dded78c0234b5a2edf7bceebf4985703
openshift4/ose-cluster-network-operator@sha256:6170613fb222cb3f23f29c796262c18a3d3aa10c382f02a9e1caf5c3b55ae7a1
openshift4/ose-cluster-node-tuning-operator@sha256:4e4af593baa033a16a582b84273049ddd5b4142d6fcabef2e1e0f06d0774c29d
openshift4/ose-cluster-update-keys@sha256:29018350d731f434424f471f9f0b79dad715ca9be3b01926287183142df30058
openshift4/ose-console@sha256:dc5d20f33759e672a90d6714fe56b7c84781b3e355c3989f983079c729895f28
openshift4/ose-csi-driver-shared-resource-rhel8@sha256:d8609c79da7eb8c444edf484100021dcd39df760d37ecc4473b90e5123acb294
openshift4/ose-csi-driver-shared-resource-webhook-rhel8@sha256:28e73df0309f1b59a467d9ddb06d9348b42c7686c895229942b90a42d28bebfc
openshift4/ose-deployer@sha256:11107c540c2120eab7c948a599aa6abb95b545a00c5973332273d5c3ae3f91e7
openshift4/ose-docker-builder@sha256:622f96b67cb53b19a9609526f57e70ba784f3ca2a00625a94a632b6e438186d7
openshift4/ose-gcp-cloud-controller-manager-rhel8@sha256:3a0d5b7d129c64845e71f08261349320482109fccf3d9d3a6c90aa34cf746ec7
openshift4/ose-gcp-cluster-api-controllers-rhel8@sha256:84818e5dd16234286e0ad54e76c11e95e54be51bbd5658f20317b32db7b1e65c
openshift4/ose-haproxy-router@sha256:8bb4dcffd4313b4a2b71a2e6feddced31ef5c7101fd637ccef584bf4cc4ee7a8
openshift4/ose-hyperkube@sha256:41fa3fd5c937b643c5bad8734a1f3897e0efdf7f629b9842b4db1ef0c55e5279
openshift4/ose-hypershift-rhel8@sha256:9b2e3e8177728c2c5fc096f513f7c529c9e27f1577263694c97b94c13d922a01
openshift4/ose-installer@sha256:e5bb6912b2310015f3bd77218ae0ee3665e2637ac85bd6274f3abfbdd1d69ac3
openshift4/ose-installer-artifacts@sha256:c7d8e73bba6bb2b3cf0de175db7e978058e343b4f18791bcc3e3dbcfec467e9b
openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:c2d8562ac750965fdfe63274cde3644e868156a64ba99e4bf0f7c29f000d63ca
openshift4/ose-ironic-rhel9@sha256:bc09a95a99131a198c0ddc8a70ff3d54daf1ed4612d192af9196f0c30af4efda
openshift4/ose-ironic-static-ip-manager-rhel9@sha256:213e851828bb48f599885d4be552a59ebd2f266f21c57ebcac6ccf9a4759f300
openshift4/ose-kube-proxy@sha256:6ee00cb6a0e9c4c4c6777fab032eb8425880beff4f63592d0edfc783a977ebc7
openshift4/ose-machine-api-operator@sha256:b8a61e1b378811f245e328234284b1920015c3db34951b1a1cef96a6351c5369
openshift4/ose-machine-os-images-rhel8@sha256:5db066ed012c90506ff8ccbe90bc55e68f78f2c6b6f593a62848e01c1eaf28b6
openshift4/ose-multus-cni@sha256:0a069f697fdf1bfafcfa48b2d620a0b7d7ff7d9b85c5271e381571e13cf15df8
openshift4/ose-must-gather@sha256:9d71f4a8be698d9503778e1add6e1d03099f0b139395b8f1ae38f8d4097dc367
openshift4/ose-ovn-kubernetes@sha256:61cc58cc9d3779cafa84092c516fcfbc8300ffacf44979977e8792a03dcc1223
openshift4/ose-pod@sha256:ad9810467f2b7ffc6362b5cdf89cc948381cd7f6a78be69cd7e5b64f98220e7a
openshift4/ose-sdn-rhel8@sha256:050bfca21173e204ee0cd3e2b822e25eac5b6edf254f4fb5b8f6f17038e07154
openshift4/ose-tests@sha256:4ea14d40158c3348fe44fcb7f52e8744a1d52c1e67495830b37197495657ca01
openshift4/ose-tools-rhel8@sha256:6320e205eef22339a5a5e2d9a2f06d5b620edaf5a83cd049606a3b3f38e07f39
ppc64le
openshift4/driver-toolkit-rhel9@sha256:8a98c5324a9ce23955fbea3b65a797ab8be78aee5f2379b346296cb5b5fbd7c6
openshift4/network-tools-rhel8@sha256:cd24d548e117b3ca550cb91a06233e071f9bc5ae47480ce0c92e3c8efca7d2e3
openshift4/openshift-route-controller-manager-rhel8@sha256:804360ab4e01f2b04dd9d261a73d8bba907179944c3f6b20b13bd5d20d4093e2
openshift4/ose-agent-installer-api-server-rhel8@sha256:6ca9683ec9960a2e9f0a26a876f4f8563314403118718a69fbfa944bd7b8482f
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:45783e817eac8aa242d203dfaff9ed82792d69881eb4981b2edebbc0bf83ceb7
openshift4/ose-baremetal-installer-rhel8@sha256:b255259e3b5d1c3d79423561cebb71a5cb496b36aeacd26056e8776b9081bcc5
openshift4/ose-cli@sha256:b0649f11a30d7f0fd62a4ecea2c760ed7dabcf7e23620f45f19d16b81936ac9e
openshift4/ose-cli-artifacts@sha256:4c33f7b53cfc3ac506a2f802c5270163c8ee84c34b8161777a021b4da7f1838e
openshift4/ose-cloud-credential-operator@sha256:4b6ee0437b840f0cc036f1c7bfe4ed8b36af5d3c3200836b1c9ea7b2f1064dd9
openshift4/ose-cluster-cloud-controller-manager-operator-rhel8@sha256:4d5bbb8636432333038a419718fe0d4cd5ca2224941a9e4e87519fde66bfad39
openshift4/ose-cluster-ingress-operator@sha256:568f9a8e66fe41f7250294108760ab0ab48858416ef91e56dd9bad99a6478d23
openshift4/ose-cluster-monitoring-operator@sha256:47dd142ea378e8bf88bcf0d69a842ef22501422f53331bc8caeb009b38dc76e5
openshift4/ose-cluster-network-operator@sha256:5b9f99bc3ccaea3c8c8c1c798e1b3b356fc175564bf1d3321c3c0696dadf6a1e
openshift4/ose-cluster-node-tuning-operator@sha256:1135ba1ec7ffdcf74bc6136a1c75c7f27fe93919a138fb24d5a10d08fcbf485b
openshift4/ose-cluster-update-keys@sha256:2b1695d29b05d5c1fe3c4525856cf0fc30c09ccd52d449751f8dc2fdf0365bae
openshift4/ose-console@sha256:146ad4ba01a8c589351a760b52eb52dcfdd0124458614dd021823ae2a9783353
openshift4/ose-csi-driver-shared-resource-rhel8@sha256:87b009c2ba38f9cdf67c3c863036b9dd88c2751a62c9e5ac677e00625026128f
openshift4/ose-csi-driver-shared-resource-webhook-rhel8@sha256:93fa32aeca2dd2b0c03fa38823072b833a5879abb625b585a16e71fc6454c78d
openshift4/ose-deployer@sha256:92058f220f809eea14e1a1259de3328419bccee02c6a4fd13d06d09f66d759ba
openshift4/ose-docker-builder@sha256:2e44e76ed51ceb17084f29957d51d46b3df2dfc561d7db3800a3e10a9b2d8930
openshift4/ose-gcp-cloud-controller-manager-rhel8@sha256:8c316f224fcf3f12e4f3a399e8afac19e409840dbbf660b25e102a04f964a6c6
openshift4/ose-gcp-cluster-api-controllers-rhel8@sha256:471d9efebf41127a290f4c72e6ca2eeb6e1a519ce6b19f93b8a218a4a21d75f1
openshift4/ose-haproxy-router@sha256:a5cc5b34c5398ddb6884ec1ab3be65b9bd7c95fd9ca9dd42125dd9d0cb455ff6
openshift4/ose-hyperkube@sha256:3bdf069442e41d2738fc2f0bd4f376b46a65828ce3a7f25ab6be7449c2c37237
openshift4/ose-hypershift-rhel8@sha256:d9e05b54e6e3c62126eda1669529032a4743b1765376310353d06959b097e323
openshift4/ose-installer@sha256:26fce69f2e9305c8788e387e9174675a4a25b768bd39444645a81cb7678e8249
openshift4/ose-installer-artifacts@sha256:34490ccd83ffe2b59d8c044f62e1f8eee74907ed9c9c3f41efdb20dbd6825402
openshift4/ose-kube-proxy@sha256:a814a2c68183f25d757e31ee21f6e845bc3ebe47f53a6d96de1266ca6efec3fb
openshift4/ose-kuryr-cni-rhel8@sha256:234f6ad5ff94000249b6f6f500a1be868e5a1aa2a57ba48945db7dc3ecb4e4c2
openshift4/ose-kuryr-controller-rhel8@sha256:89131c5d39eacdb3ef00973f6bfa116a5009f1e10ecdc4005a1cfc91e81a3c6d
openshift4/ose-machine-api-operator@sha256:30f85ba16360f22291349952d0bf8fce029b891a43c0bfb05b50ac2be2deaf85
openshift4/ose-machine-os-images-rhel8@sha256:758eb536209a77c000b458a18f340e536594d2520a5d80c16d520867acf79133
openshift4/ose-multus-cni@sha256:e32024e1de8f624ecdedd437286a7a946c10c143cef2a858ec3f7c7a18c380fb
openshift4/ose-must-gather@sha256:1e1d1775c9da54528eeeb76fe60f142abbfbdfd594cf8b5698218178068b4369
openshift4/ose-ovn-kubernetes@sha256:0f048b256203ada0a1b0363e90cb1aa8a7a2f848b6952af8b568e586944b5f44
openshift4/ose-pod@sha256:bcb060e9d00f3579b0ab6bfee0cdaa9c45df7634fb6357e6e393988ce5dc0afa
openshift4/ose-sdn-rhel8@sha256:89805d72b22827dd10814b87e90828df3671bf2b7a0b0b213155ad04d8630c7a
openshift4/ose-tests@sha256:770dbbf7778a1ee518695db8903e1a08ecf34050bf1814909cd3f72fdf845b13
openshift4/ose-tools-rhel8@sha256:7a58ebd570937a1ef5b4204ac6820497ec00bca35024b10a559b99a35250b906
s390x
openshift4/driver-toolkit-rhel9@sha256:b6a56357c202111ae442ea6fab721e745ccc9e572dce61dc8c4782eabc1f12ec
openshift4/network-tools-rhel8@sha256:e05f2b5b6e35f5e0262efc8648aa60ce911a37a387a1f2f876f252a180a54403
openshift4/openshift-route-controller-manager-rhel8@sha256:193d7eff82c963055fe9bcba49aaab7d1697a206ca80efd7120223981c0a2900
openshift4/ose-agent-installer-api-server-rhel8@sha256:19b0b859029870542a16b291635e70a02c04e420adec0f69b795f27c8b7cfce9
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:56af6bbe9c2510f6ad29fb5beb5b0dc9d00dcfdf2b5a095e80386287b139ab22
openshift4/ose-baremetal-installer-rhel8@sha256:18cf5564daa86b293399b88787e20356b69c20fa9a796f5bf52258285f289841
openshift4/ose-cli@sha256:13676d7e702abd850bd8721ac827375d531c65fa705af900295215338149ef77
openshift4/ose-cli-artifacts@sha256:9a2d46cbd5120d3b6ec6e9c063a5b090ee14c672d859cd9e68d54f23ce521495
openshift4/ose-cloud-credential-operator@sha256:37af8ceeefe6369075505710ceb3b2b4b02eb22f5a10b7162a084c9d7a691022
openshift4/ose-cluster-cloud-controller-manager-operator-rhel8@sha256:709847abaf420755c6bb55eb679bf062cc707f39af56f7216efd792c54f566e0
openshift4/ose-cluster-ingress-operator@sha256:236c1b1e05edc74298dc69cfc22074bf19f688835a04c809bd81d5d932e8a61a
openshift4/ose-cluster-monitoring-operator@sha256:e3d0dd07a5f297c5a0c14ebfb50b8ce90950347e8373fc0d195174865b2a0cb4
openshift4/ose-cluster-network-operator@sha256:6cb1a7ca65d8e7d855c88fa7f7c91564f1d4f60ed2febf86348d96485ed1048f
openshift4/ose-cluster-node-tuning-operator@sha256:57547b0675e366e8c19a24498dbecef6bc7a968c271124d1a716d112da5b2ee4
openshift4/ose-cluster-update-keys@sha256:b735b10a0c2d711840898f0863d03f32eec9910badb40f9b60a5674ff9d07ee7
openshift4/ose-console@sha256:c2b5b7f9e101de58695d8e57a8e132fd04b03d0d3b87a4cf31a286c61fe718c4
openshift4/ose-csi-driver-shared-resource-rhel8@sha256:079962aec4e86b839905846d8dd6b89480e524bfcfbc8c3ecaa2a2cf2238dba6
openshift4/ose-csi-driver-shared-resource-webhook-rhel8@sha256:5bc1c3e1e72b11274eb525d9ac6f18881f4fddb53c3afbfdaee9750d20e26230
openshift4/ose-deployer@sha256:3432cdc7d17d8e9cd804639e77ba27489b1e2010642cb42e2144e90bb55caa0b
openshift4/ose-docker-builder@sha256:260c778ac7497101dd96b776a12f8daa62bef9dc477f701b42c4e2b0d380006a
openshift4/ose-haproxy-router@sha256:853551d85798876d976019ece18995bede7e169d0383cce006f48f9f3c494385
openshift4/ose-hyperkube@sha256:9bba70060146c53af33f3bd6a4f9326f5d093d807f0dc52ad8d7fb0988367673
openshift4/ose-hypershift-rhel8@sha256:d129d7190f48fa1094788dc19346ba8acce20b0ef920e729b8fa12463172d6af
openshift4/ose-ibm-cloud-controller-manager-rhel8@sha256:670f11c57548b3e8cdf3278c13595f677dd02d7caefbf928f9f38ff3b8ec5c8b
openshift4/ose-ibmcloud-machine-controllers-rhel8@sha256:354c2dbc696164e06370a94771e095a0326863054c46436a07cb587743506c1c
openshift4/ose-installer@sha256:4bf5cca122fe7f2b96dcf23dbdb65abfcebcc578a4aa58119c25d54dc2f5e8b6
openshift4/ose-installer-artifacts@sha256:8b61d7a5358f8c32a64ac6ba5e20ddc26d386b2b4623f2eeb32a4da26a3f5f16
openshift4/ose-kube-proxy@sha256:3ad8b3ab55a46eed107cadcabea6f1ab803bc10f42700f1a0aeb2a17d24f2ae1
openshift4/ose-machine-api-operator@sha256:ec48c1ebe12576c77f9276ea7a29ed17d16ba1e2cb9bcf7ca8a87fc65c80a4fe
openshift4/ose-multus-cni@sha256:16b53c511665a71ae8690417a4a3a7c253bcd134913a454576c2e38ac0209b64
openshift4/ose-must-gather@sha256:fc8e8df36d9b0b7cceb4a63e4b2093c8c2007823c948f67a65fcc1184f507851
openshift4/ose-ovn-kubernetes@sha256:1e26486eb64692ea6df29c48e17cca74ef36511e03923b344fd2389bea9fb560
openshift4/ose-pod@sha256:654f742ad9374b4c1e2eaf05689054e0f6e8e3e51fa3bc69705ad404359b3eba
openshift4/ose-sdn-rhel8@sha256:bae14f248e25c318322d281d0fa3019be7e8f2374bbc211153f7543a2672a8ae
openshift4/ose-tests@sha256:e45712a7aacaa14b7938c6d94b753af0d54c8d3323ddcf114a4a701f9070d6c2
openshift4/ose-tools-rhel8@sha256:85572c048837abe9765639da934ab33a3e2caf2a3bf5a0a2eb95b783596cbadb
x86_64
openshift4/driver-toolkit-rhel9@sha256:993050cfa37f09c1a302faab1a12a1d3f70ad01008e9c0c3ddfaecf63a438918
openshift4/network-tools-rhel8@sha256:0ac2bbd059b2c6a130bda04ec48076dea7b8263bd6c4a42861f4d642e2ec55b8
openshift4/oc-mirror-plugin-rhel8@sha256:66bd5abc231f2e9dbf6727b11ef7b2c8b0f18e78eb009ed255a60e83117d3259
openshift4/openshift-route-controller-manager-rhel8@sha256:3db0646a772c0db975179fa2af73a5af298392b5ff60a9c9d27a51cb7fdd784e
openshift4/ose-agent-installer-api-server-rhel8@sha256:c4b775cbe8eec55de2c163919c6008599e2aebe789ed93ada9a307e800e3f1e2
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:eeea3ce92b26911c6defd0408d64c2b66c0733e4e1440920b8b885f643bda445
openshift4/ose-aws-ebs-csi-driver-rhel8@sha256:8b9821056e79cc0dabd4ca262cfebad717e4298f16151a24548eee19a7bece19
openshift4/ose-aws-pod-identity-webhook-rhel8@sha256:2ed2b8f8db21cc42dd84d151d39cbf83b0a91d03cf2f296188dc504ae13f1371
openshift4/ose-azure-cloud-controller-manager-rhel8@sha256:37d07b86194d322cb827779e3766876c817a98a1193240079733d7a5cd5860bf
openshift4/ose-azure-cloud-node-manager-rhel8@sha256:846aa1ae96f3708b4523df52ca110772eb90e75ad582e1aa6321776e9c5e05d9
openshift4/ose-baremetal-installer-rhel8@sha256:8fa7b1b9e3bf29f1dbd154369767a1299e322eee29e61f44d5a850ae49165ab6
openshift4/ose-cli@sha256:a53b9de5f1ebf995a053f9ea36126339fe0c943cd8bfedf9f197c4f5b4356d70
openshift4/ose-cli-artifacts@sha256:244328a66d0e974bc0c60bec2e47ac02003e3cdaf779ee6406cc96758faa426c
openshift4/ose-cloud-credential-operator@sha256:3c282eb833362422df296bd8e370fddde88519abab155963da4079a7edc65f2c
openshift4/ose-cluster-cloud-controller-manager-operator-rhel8@sha256:d53fed1961fbfbd54ca0c6f62acf5a8edb446284bc9b538ce96f21346a023cea
openshift4/ose-cluster-ingress-operator@sha256:656e7e96ce3bc8666b35b3df4c6ff1b7244ab08d6e87ce23ffa859a904658a1a
openshift4/ose-cluster-monitoring-operator@sha256:d1ef07e939f2983b42e93316269c3f7791e53d5675ed479f75f83b26554b32f9
openshift4/ose-cluster-network-operator@sha256:17a253ef714d3f32306d08da1ac0a425f434f677ffe2e3ffe4cc0e21571a6fde
openshift4/ose-cluster-node-tuning-operator@sha256:215c5bea4b9c3d684c9c0a30044c8835df53a48b1afae9243d05343138c1a8f4
openshift4/ose-cluster-update-keys@sha256:1135c726650491dec6956be6ff3c7ecd05f75443b021b745df3536ffd1daacd1
openshift4/ose-console@sha256:03bdcbe51aa2b3d4371cae8416004e274eb4b7f5d42a5622c863dc2c8243b645
openshift4/ose-csi-driver-shared-resource-rhel8@sha256:992f49268420891c7d2c84766e7089f72830156a64b807798770eaa0a49d1c19
openshift4/ose-csi-driver-shared-resource-webhook-rhel8@sha256:9deb4360ecb5c6faef90fa1b7651e27f42ead5a2173b43822c999fe4647a9eff
openshift4/ose-deployer@sha256:3cd3ec844838fb1fdee529a757c25ca56c987b8294b801e8220051bd53906585
openshift4/ose-docker-builder@sha256:5cca12cb97ba5c27aa416457cf09b301921dff519a428caa9e371668a125dd36
openshift4/ose-gcp-cloud-controller-manager-rhel8@sha256:6fb3e393609062cf53ca9167b9b0f70c13a8c2e190dbf439dc048885a0f46001
openshift4/ose-gcp-cluster-api-controllers-rhel8@sha256:11a62f0e2b7a762999e39395f918c8a9ac215d3d841bb74e0ec3ea69006be9d2
openshift4/ose-haproxy-router@sha256:b9580dd59a2ebc861cb57c614b710f4c7ba0dbe045d3913bd69fdeb1729af9ef
openshift4/ose-hyperkube@sha256:3c8904c40249c175fae0f095b690c4c2af17e894b521fa4cab143b0b6d2ce5bd
openshift4/ose-hypershift-rhel8@sha256:040976912fbbfe38c842a019d65e1a59bf9c166a697ae7dc1f3ea69cc4901159
openshift4/ose-ibm-cloud-controller-manager-rhel8@sha256:a42f2e3a202cfa5cfb9cae1fc4c429d7418d491193521e52cecc39c675b2e017
openshift4/ose-ibmcloud-machine-controllers-rhel8@sha256:03eb16b5d9a9a2bccb80341efad9d9ceb89d2da49f9581a88a9afc4c6b39dd3a
openshift4/ose-installer@sha256:4e187f71f014b04eda15973c3d9976ec4840faa445732ccad40fb8c59f124477
openshift4/ose-installer-artifacts@sha256:e1902928334c509b3b3df1ae72986fd5ebaf5496188573de4867cd06f5e2d070
openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:89c5aab96d32a16e20f1ee46daffebb35ab69dea608c8c0cf4674d278301eff9
openshift4/ose-ironic-rhel9@sha256:37623bdc06c213388a2c2a8b09453e818a360d5bc3629a5147f49bfa5d450b32
openshift4/ose-ironic-static-ip-manager-rhel9@sha256:86d207816c15dc7ef00b4c3b70362d803d55b6c8e97c818927c8a8b781d84106
openshift4/ose-kube-proxy@sha256:4086f62a8e093113bf7ae08a2f0ac37b514b3b1763bb2ea9740947844a8e6d2f
openshift4/ose-kuryr-cni-rhel8@sha256:b9fb5f783225570e96fd7eeaf3a90a835254d6871e90bd3cec6370d51567ccec
openshift4/ose-kuryr-controller-rhel8@sha256:9d623b8122172f07706c8e2595129f7b26c36f9e13871e22c3e2a520cc329b7d
openshift4/ose-machine-api-operator@sha256:a77c209e8c26696dcd6d2a8d42455e0a5496e9901803a32b34782bcf1ed6608e
openshift4/ose-machine-os-images-rhel8@sha256:46f08016d78f6c172fb37cce4f08d1b473770e364bab50be71cc080f5829d4c7
openshift4/ose-multus-cni@sha256:b41403bb9d4220e8ffe194cab7c0a0ec35d838e7648335009e366276552053d1
openshift4/ose-must-gather@sha256:0fad1f838a8958104d2cf0705c5b26009bc89b2ef4c0c6174057757a1a9f6f2c
openshift4/ose-ovn-kubernetes@sha256:2074559a98ffa893ebf68e218f7c02eff57096073c6fe71eb52e0149e056cf45
openshift4/ose-pod@sha256:e6f6b99a48f4a7012388772ec6d28021841484877e57925cfb46ad9fe7f2afb7
openshift4/ose-sdn-rhel8@sha256:d6c16796d9509710a5764daabbcd52293ba514d0eca501f01358651a5656a97b
openshift4/ose-tests@sha256:dd299f195d86204a7433cc2f7a07fca6c4f006a0547719910a974e1604909652
openshift4/ose-tools-rhel8@sha256:2f3c184e7420ec62db4d48b33e5ad66d8ae511b1d320216060e339896b13d700
openshift4/ose-vsphere-problem-detector-rhel8@sha256:e93c675a3b488ffeaa1ccc943cad27723122cde97d62f1210647e0dd072e96b9
Related news
Gentoo Linux Security Advisory 202409-29 - Multiple vulnerabilities have been discovered in Docker, the worst of which could result in denial of service. Versions greater than or equal to 25.0.4 are affected.
Red Hat Security Advisory 2024-0948-03 - Red Hat OpenShift Container Platform release 4.13.35 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-6235-01 - Red Hat OpenShift Virtualization release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5952-01 - An update is now available for Red Hat OpenShift Service Mesh 2.4 for RHEL 8.
Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog. This issue affects Docker Desktop: before 4.12.0.
Red Hat Security Advisory 2023-5314-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Virtualization release 4.13.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.
Red Hat Security Advisory 2023-4671-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.30.
Red Hat Security Advisory 2023-4664-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.3 images. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Virtualization release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests. * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Con...
Migration Toolkit for Applications 6.2.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-4492: A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a...
Red Hat Security Advisory 2023-4488-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.
Red Hat Security Advisory 2023-4421-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.12.5 images.
Red Hat Security Advisory 2023-4226-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.6.
Red Hat OpenShift Container Platform release 4.13.6 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number...
Red Hat Security Advisory 2023-4090-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5.
Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server c...
Red Hat Security Advisory 2023-4025-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-4003-01 - As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.1.5 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in H...
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Red Hat Security Advisory 2023-3610-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, memory exhaustion, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2023-3447-01 - An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train).
An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-28235: A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause e...
Red Hat Security Advisory 2023-3304-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.1. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat OpenShift Container Platform release 4.13.1 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-17419: The Miek Gieben DNS library is vulnerable to a denial of service caused by a segmentation violation in setTA in scan_rr.go. By persuading a victim to open a specially-crafted file, a ...
Red Hat Security Advisory 2023-1325-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, and information leakage vulnerabilities.
Red Hat Security Advisory 2023-1328-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.
Red Hat Security Advisory 2023-2029-01 - The OpenShift Security Profiles Operator v0.7.0 is now available. Issues addressed include a denial of service vulnerability.
An updated Security Profiles Operator image that fixes various bugs is now available for the Red Hat OpenShift Enterprise 4 catalog.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0475: A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive. * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information o...
Red Hat Security Advisory 2023-1372-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.
Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.
When the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. ``` buildctl build --frontend dockerfile.v0 --context https://<credentials>@url/repo.git ``` Equivalent in `docker buildx` would be ``` docker buildx build https://<credentials>@url/repo.git ``` 2) If the client sends additional VCS info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. Thanks to Oscar Alberto Tovar for discovering the issue. ### Impact When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previou...
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible ...
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container ent...
### Impact A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. ### Patches This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. ### Workarounds Ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-",...