Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:1569: Red Hat Security Advisory: gnutls security and bug fix update

An update for gnutls is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
Red Hat Security Data
#vulnerability#web#linux#red_hat#nodejs#js#java#kubernetes#c++#aws#ibm#ssl

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-04-04

Updated:

2023-04-04

RHSA-2023:1569 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: gnutls security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for gnutls is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.

Security Fix(es):

  • gnutls: timing side-channel in the TLS RSA key exchange code (CVE-2023-0361)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • trap invalid opcode ip:7feef81809fe sp:7fee997419c0 error:0 in libgnutls.so.30.28.2[7feef8040000+1dd000] (BZ#2131152)

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2131152 - trap invalid opcode ip:7feef81809fe sp:7fee997419c0 error:0 in libgnutls.so.30.28.2[7feef8040000+1dd000] [rhel-8.7.0.z]
  • BZ - 2162596 - CVE-2023-0361 gnutls: timing side-channel in the TLS RSA key exchange code

Red Hat Enterprise Linux for x86_64 8

SRPM

gnutls-3.6.16-6.el8_7.src.rpm

SHA-256: 1cd17acab57eb71972272cb7c9efdc562aa8981b3d32c0af5eca0592d4cb0c09

x86_64

gnutls-3.6.16-6.el8_7.i686.rpm

SHA-256: 9422c8924a01588ee1f12705c0c953d5fcab4a6a010515fb7684a5f4cafcdca4

gnutls-3.6.16-6.el8_7.x86_64.rpm

SHA-256: 71040d23812aca09e7e5b49830d6cc3b2251225ccf2570ca1060d1023dbb93eb

gnutls-c+±3.6.16-6.el8_7.i686.rpm

SHA-256: 61468086caf8bb9e7ebcfbbd9310f2eefef3708da58a8b1a3a65e5e308124f02

gnutls-c+±3.6.16-6.el8_7.x86_64.rpm

SHA-256: cc4176286feec405f0c7bbebce10c38c5de8a440f66b789788138692f608f8c1

gnutls-c+±debuginfo-3.6.16-6.el8_7.i686.rpm

SHA-256: f1634f5ae71499cb7b37535bd17d6d9e3a8234530a0e786986abbef8e15bcbaa

gnutls-c+±debuginfo-3.6.16-6.el8_7.i686.rpm

SHA-256: f1634f5ae71499cb7b37535bd17d6d9e3a8234530a0e786986abbef8e15bcbaa

gnutls-c+±debuginfo-3.6.16-6.el8_7.x86_64.rpm

SHA-256: cef9527468d3f659e36bf81b737d65567c60ec70ec7d799a0e257b9e9e16b8c6

gnutls-c+±debuginfo-3.6.16-6.el8_7.x86_64.rpm

SHA-256: cef9527468d3f659e36bf81b737d65567c60ec70ec7d799a0e257b9e9e16b8c6

gnutls-dane-3.6.16-6.el8_7.i686.rpm

SHA-256: 5ac9c9af77e92f6183eddde61cd8c8f3c2c956e0c3c6d17f3523f15fa0d21c08

gnutls-dane-3.6.16-6.el8_7.x86_64.rpm

SHA-256: 4e9de93eb2a58c5c24ae4f4edce9f12afd2064c47ee640108103d55edf5c868b

gnutls-dane-debuginfo-3.6.16-6.el8_7.i686.rpm

SHA-256: 9576978f2f28489cd3662ba0053bd5d28552de7c00e4a8667cf0fe1d94141561

gnutls-dane-debuginfo-3.6.16-6.el8_7.i686.rpm

SHA-256: 9576978f2f28489cd3662ba0053bd5d28552de7c00e4a8667cf0fe1d94141561

gnutls-dane-debuginfo-3.6.16-6.el8_7.x86_64.rpm

SHA-256: 582170d06baefc0b2f9107c46a19a4c861ef37c419782599fe25d8711dce3156

gnutls-dane-debuginfo-3.6.16-6.el8_7.x86_64.rpm

SHA-256: 582170d06baefc0b2f9107c46a19a4c861ef37c419782599fe25d8711dce3156

gnutls-debuginfo-3.6.16-6.el8_7.i686.rpm

SHA-256: 2c4fc20d104441d1e297556fe0a69a5ea1b6c72ea3e4627ff24864040f01c0f8

gnutls-debuginfo-3.6.16-6.el8_7.i686.rpm

SHA-256: 2c4fc20d104441d1e297556fe0a69a5ea1b6c72ea3e4627ff24864040f01c0f8

gnutls-debuginfo-3.6.16-6.el8_7.x86_64.rpm

SHA-256: 83682bd637896563fda053e5aed8ae31e7910fcbfd8389d4bdbc072fa66fb2c4

gnutls-debuginfo-3.6.16-6.el8_7.x86_64.rpm

SHA-256: 83682bd637896563fda053e5aed8ae31e7910fcbfd8389d4bdbc072fa66fb2c4

gnutls-debugsource-3.6.16-6.el8_7.i686.rpm

SHA-256: 054c7fc3f6d07c038f71e5085a29bc3a023ee7b0de120221ee7afcd3c53a9584

gnutls-debugsource-3.6.16-6.el8_7.i686.rpm

SHA-256: 054c7fc3f6d07c038f71e5085a29bc3a023ee7b0de120221ee7afcd3c53a9584

gnutls-debugsource-3.6.16-6.el8_7.x86_64.rpm

SHA-256: eb90874112618d2aba5a7cbbdaca3cbec5e50b343a09cdbae19bd3eb562dcaec

gnutls-debugsource-3.6.16-6.el8_7.x86_64.rpm

SHA-256: eb90874112618d2aba5a7cbbdaca3cbec5e50b343a09cdbae19bd3eb562dcaec

gnutls-devel-3.6.16-6.el8_7.i686.rpm

SHA-256: 4fa56d2f1a869adbf1dc2f6d01a4775683a2bf7de14f1d37f47e5a9959c55659

gnutls-devel-3.6.16-6.el8_7.x86_64.rpm

SHA-256: ad2197ef59b5ba9c91a6e651da39c4bd821a5544e7545caa0f9239863efee1f9

gnutls-utils-3.6.16-6.el8_7.x86_64.rpm

SHA-256: a7e1356487da1e6d71b65ba4fbe5669383db171063e39051cbc8b7052332c005

gnutls-utils-debuginfo-3.6.16-6.el8_7.i686.rpm

SHA-256: 5199ca7621dd51396e060da8480ea17c27e5769e919f82411547a91419a034f2

gnutls-utils-debuginfo-3.6.16-6.el8_7.i686.rpm

SHA-256: 5199ca7621dd51396e060da8480ea17c27e5769e919f82411547a91419a034f2

gnutls-utils-debuginfo-3.6.16-6.el8_7.x86_64.rpm

SHA-256: fadd800af290d8f9881f433a36f121eff74c28aa22dc77555f6be2c17b04f9f8

gnutls-utils-debuginfo-3.6.16-6.el8_7.x86_64.rpm

SHA-256: fadd800af290d8f9881f433a36f121eff74c28aa22dc77555f6be2c17b04f9f8

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

gnutls-3.6.16-6.el8_7.src.rpm

SHA-256: 1cd17acab57eb71972272cb7c9efdc562aa8981b3d32c0af5eca0592d4cb0c09

s390x

gnutls-3.6.16-6.el8_7.s390x.rpm

SHA-256: 47f1f7c33148d0ddd309cec1fbe00c7b39c3d9ea1fd87407e9859b26ec120808

gnutls-c+±3.6.16-6.el8_7.s390x.rpm

SHA-256: 7437ca81ad4d865f039cee90e860ecd6e4b91c9146aa96bfa1bc83a49aec12ce

gnutls-c+±debuginfo-3.6.16-6.el8_7.s390x.rpm

SHA-256: a5ef990ac5b0220f51d0a4680f5c7c92095e8b02599cd547e430e813e17cd996

gnutls-c+±debuginfo-3.6.16-6.el8_7.s390x.rpm

SHA-256: a5ef990ac5b0220f51d0a4680f5c7c92095e8b02599cd547e430e813e17cd996

gnutls-dane-3.6.16-6.el8_7.s390x.rpm

SHA-256: c496a18327f7ce185eacb7e77eab905d9bd6dd42d4fd071fffad9f8d1553d7fd

gnutls-dane-debuginfo-3.6.16-6.el8_7.s390x.rpm

SHA-256: a525c1709a658dd16e691d9f83b527d4760ee1f729e85c7102b2a78b994c466f

gnutls-dane-debuginfo-3.6.16-6.el8_7.s390x.rpm

SHA-256: a525c1709a658dd16e691d9f83b527d4760ee1f729e85c7102b2a78b994c466f

gnutls-debuginfo-3.6.16-6.el8_7.s390x.rpm

SHA-256: 2d7d0c741c528eea9ca9ec77393c37d63cf7ae9b749b8db65d66fdc454a445f6

gnutls-debuginfo-3.6.16-6.el8_7.s390x.rpm

SHA-256: 2d7d0c741c528eea9ca9ec77393c37d63cf7ae9b749b8db65d66fdc454a445f6

gnutls-debugsource-3.6.16-6.el8_7.s390x.rpm

SHA-256: cc2fc1d94936e94a7dd851ffd632fb3321865f928c18c3bb8e2a3511e59dc229

gnutls-debugsource-3.6.16-6.el8_7.s390x.rpm

SHA-256: cc2fc1d94936e94a7dd851ffd632fb3321865f928c18c3bb8e2a3511e59dc229

gnutls-devel-3.6.16-6.el8_7.s390x.rpm

SHA-256: 9b60bb20d3a7492e208f3b8fd6b7e41a46fad8d84b4bcd730f49c3227b9ac492

gnutls-utils-3.6.16-6.el8_7.s390x.rpm

SHA-256: 342eb7988b3e39b66bd9c495af939b10693314c6c020795ebe5f17a6f514786b

gnutls-utils-debuginfo-3.6.16-6.el8_7.s390x.rpm

SHA-256: 73f418e4a2e54c1f7d9aeb892c2807f9fd2130a2dfc9f0900d9fdab4137e26e6

gnutls-utils-debuginfo-3.6.16-6.el8_7.s390x.rpm

SHA-256: 73f418e4a2e54c1f7d9aeb892c2807f9fd2130a2dfc9f0900d9fdab4137e26e6

Red Hat Enterprise Linux for Power, little endian 8

SRPM

gnutls-3.6.16-6.el8_7.src.rpm

SHA-256: 1cd17acab57eb71972272cb7c9efdc562aa8981b3d32c0af5eca0592d4cb0c09

ppc64le

gnutls-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: ad538930937dc5c7b88ca1d667138f96df19bf6b4dc76ff76dbfac30342576a7

gnutls-c+±3.6.16-6.el8_7.ppc64le.rpm

SHA-256: 38da8d82fd5d1ef3077d15b948f38e1aaa053d9a5443ce2ecd1f9cd4f400ecf2

gnutls-c+±debuginfo-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: 176fd6b1a5dd5d220893efb230d927a567ef47d51b55fc7e74dd57091146a1a6

gnutls-c+±debuginfo-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: 176fd6b1a5dd5d220893efb230d927a567ef47d51b55fc7e74dd57091146a1a6

gnutls-dane-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: 7488bd7789caf95f0963882c7b1df928bca9db8627aabf558f44cc60eb4cad97

gnutls-dane-debuginfo-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: c3781e62b6ddf2d9bc59c3c9445a8fae502a911d3d8c33c6244a5b68d60e35b3

gnutls-dane-debuginfo-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: c3781e62b6ddf2d9bc59c3c9445a8fae502a911d3d8c33c6244a5b68d60e35b3

gnutls-debuginfo-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: af1001def038cdaf2e748d68bec879270efbedfda2dd269f695801e7da4f8b49

gnutls-debuginfo-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: af1001def038cdaf2e748d68bec879270efbedfda2dd269f695801e7da4f8b49

gnutls-debugsource-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: 261572129eb6489a56a64203ca24214b346a791739e6c1d49c3733cc38e91939

gnutls-debugsource-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: 261572129eb6489a56a64203ca24214b346a791739e6c1d49c3733cc38e91939

gnutls-devel-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: 52d8c440610fb4c24447051beab20455255419c1d860c2f22a5ce013777dc48e

gnutls-utils-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: ed69cac61a2740182e53eb6ea4c0dc0e51d048a610eecb8220f1e31633d16885

gnutls-utils-debuginfo-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: ca9d37cfee08c0604938569b995303c8cd6d19ee12d35cb05a4006179d1b9ed0

gnutls-utils-debuginfo-3.6.16-6.el8_7.ppc64le.rpm

SHA-256: ca9d37cfee08c0604938569b995303c8cd6d19ee12d35cb05a4006179d1b9ed0

Red Hat Enterprise Linux for ARM 64 8

SRPM

gnutls-3.6.16-6.el8_7.src.rpm

SHA-256: 1cd17acab57eb71972272cb7c9efdc562aa8981b3d32c0af5eca0592d4cb0c09

aarch64

gnutls-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 633cf2fcd39ca21925514398dc13632739c8ecee1ac50c0f21e292577317337d

gnutls-c+±3.6.16-6.el8_7.aarch64.rpm

SHA-256: 708691ced6cc4405d80c2566f2b86fef9dd08b7f9441aadb3c1eda48b74c5d8d

gnutls-c+±debuginfo-3.6.16-6.el8_7.aarch64.rpm

SHA-256: e6a8226eeb02af280dae1229e6257a9f6e24ea923304e5c721c8a92804279fc1

gnutls-c+±debuginfo-3.6.16-6.el8_7.aarch64.rpm

SHA-256: e6a8226eeb02af280dae1229e6257a9f6e24ea923304e5c721c8a92804279fc1

gnutls-dane-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 16639ab27d662284b6f071cde8a5e81c6cd17c4cab6ad26e032286520eb57ab4

gnutls-dane-debuginfo-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 4f5fd6cbe11729538b9d1e38373a43761465950ac5e2a9144e6f0400bc661ddc

gnutls-dane-debuginfo-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 4f5fd6cbe11729538b9d1e38373a43761465950ac5e2a9144e6f0400bc661ddc

gnutls-debuginfo-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 9342216fcdb98cf62e86088667fb0bb688fb6a3227ba4fc01882a48a59e11650

gnutls-debuginfo-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 9342216fcdb98cf62e86088667fb0bb688fb6a3227ba4fc01882a48a59e11650

gnutls-debugsource-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 41f7fa839e09f8108dd9918b92bcb58fb4806a6861a1254324caeb246d103465

gnutls-debugsource-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 41f7fa839e09f8108dd9918b92bcb58fb4806a6861a1254324caeb246d103465

gnutls-devel-3.6.16-6.el8_7.aarch64.rpm

SHA-256: bbbaa24a647224efa6cf7a1065e40714738269f8f3b007090bd1383f1e311128

gnutls-utils-3.6.16-6.el8_7.aarch64.rpm

SHA-256: f1a123f0529dc535e05a1c79757e52d9b9b5638d1c63187053accd8510e23582

gnutls-utils-debuginfo-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 634e57b946e7d35aaec3ffb7b9bda0d3afb6afc251a0b1814feac731f54ebb56

gnutls-utils-debuginfo-3.6.16-6.el8_7.aarch64.rpm

SHA-256: 634e57b946e7d35aaec3ffb7b9bda0d3afb6afc251a0b1814feac731f54ebb56

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2023-5103-01

Red Hat Security Advisory 2023-5103-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.11.6 images.

Red Hat Security Advisory 2023-4576-01

Red Hat Security Advisory 2023-4576-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.

RHSA-2023:4488: Red Hat Security Advisory: Red Hat OpenShift support for Windows Containers 6.0.1[security update]

The components for Red Hat OpenShift support for Windows Containers 6.0.1 are now available. This product release includes bug fixes and security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject...

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

RHSA-2023:4112: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.2.8 security update

Red Hat OpenShift Service Mesh 2.2.8 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modu...

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

RHSA-2023:3664: Red Hat Security Advisory: OpenShift Jenkins image and Jenkins agent base image security update

Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where reques...

RHSA-2023:3645: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.2.7 security update

Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20329: A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents. * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtai...

RHSA-2023:3542: Red Hat Security Advisory: OpenShift Container Platform 4.11.43 bug fix and security update

Red Hat OpenShift Container Platform release 4.11.43 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: A flaw was found in golang. The language package for go language can panic due to an out-of-bounds read when an incorrectly formatted language tag is being parsed. This flaw allows a...

Red Hat Security Advisory 2023-3361-01

Red Hat Security Advisory 2023-3361-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.

RHSA-2023:3373: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

RHSA-2023:3265: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...

RHSA-2023:0584: Red Hat Security Advisory: Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 security update

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...

RHSA-2023:1326: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 security update

Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...

RHSA-2023:2710: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.3 for OpenShift image security update

A new image is available for Red Hat Single Sign-On 7.6.3, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-0341: In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction...

Red Hat Security Advisory 2023-2107-01

Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.

RHSA-2023:2104: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5.8 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

RHSA-2023:2083: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.5 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...

Red Hat Security Advisory 2023-2061-01

Red Hat Security Advisory 2023-2061-01 - Multicluster Engine for Kubernetes 2.1.6 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-2041-01

Red Hat Security Advisory 2023-2041-01 - Migration Toolkit for Applications 6.1.0 Images. Issues addressed include denial of service, privilege escalation, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:2041: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...

Red Hat Security Advisory 2023-2023-01

Red Hat Security Advisory 2023-2023-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

Red Hat Security Advisory 2023-1887-01

Red Hat Security Advisory 2023-1887-01 - Multicluster Engine for Kubernetes 2.2.3 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

RHSA-2023:2023: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.11.7 Bug Fix and security update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.7 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40186: A flaw was found in HashiCorp Vault and Vault Enterprise, where they could allow a locally authenticated attacker to gain unauthorized access to the system, caused by a flaw in the alias naming schema implementation for mount accessors with shared alias n...

RHSA-2023:1953: Red Hat Security Advisory: Logging Subsystem 5.6.5 - Red Hat OpenShift security update

Logging Subsystem 5.6.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpected amount of time, possibly resulting in a denial of service. * CVE-2023-28120: A Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is called on a SafeBuffer with untrus...

Red Hat Security Advisory 2023-1888-01

Red Hat Security Advisory 2023-1888-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.3 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service and server-side request forgery vulnerabilities.

RHSA-2023:1888: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.3 security fixes and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.7.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...

RHSA-2023:1887: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.3 security updates and bug fixes

Multicluster Engine for Kubernetes 2.2.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server. * CVE-2023-29017: A flaw was found in vm2 where the component...

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

Red Hat Security Advisory 2023-1200-01

Red Hat Security Advisory 2023-1200-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.

RHSA-2023:1200: Red Hat Security Advisory: gnutls security and bug fix update

An update for gnutls is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially...

Red Hat Security Advisory 2023-1141-01

Red Hat Security Advisory 2023-1141-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.

RHSA-2023:1141: Red Hat Security Advisory: gnutls security and bug fix update

An update for gnutls is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the v...

Ubuntu Security Notice USN-5901-1

Ubuntu Security Notice 5901-1 - Hubert Kario discovered that GnuTLS had a timing side-channel when handling certain RSA messages. A remote attacker could possibly use this issue to recover sensitive information.

Debian Security Advisory 5349-1

Debian Linux Security Advisory 5349-1 - Hubert Kario discovered a timing side channel in the RSA decryption implementation of the GNU TLS library.

CVE-2023-0361: Timing sidechannel in RSA decryption (#1050) · Issues · gnutls / GnuTLS · GitLab

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

CVE-2020-13777: gnutls.org

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.