Headline
RHSA-2023:3362: Red Hat Security Advisory: OpenShift Container Platform 4.10.61 packages and security update
Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-1370: A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-06-07
Updated:
2023-06-07
RHSA-2023:3362 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: OpenShift Container Platform 4.10.61 packages and security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.10.
Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.61. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:3363
Security Fix(es):
- json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform 4.10 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.10 aarch64
Fixes
- BZ - 2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
References
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/articles/11258
Red Hat OpenShift Container Platform 4.10 for RHEL 8
SRPM
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el8.src.rpm
SHA-256: 0a9e7371b1963ffa2f857e4217650e0b4921f9b03326c608ebef1abc59c0b584
jenkins-2-plugins-4.10.1684982411-1.el8.src.rpm
SHA-256: 85f40c5f19896ee02735f95b2d92a9a5b27c539aaf706590c0d9492bca55788e
python-sushy-4.1.6-0.20230517173625.5490eb6.el8.src.rpm
SHA-256: 848a3fa001498aa50483ade0bb14cfc034ee29181bd8383083363ae6b4fcbf1b
x86_64
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64.rpm
SHA-256: fc6f3e239a9b9d75d03f88a5311ee2e6cf78f7e68692245c9decb1edcca85d87
cri-o-debuginfo-1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64.rpm
SHA-256: 371895a312b1e79de966a098e9edf70afbd3bfe0a3ed6bd336b91829aad78bca
cri-o-debugsource-1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64.rpm
SHA-256: d45330d01ed01d62ce5d517f7cfe4cb31bf3866c35848a9b9a43fca9a328b49a
jenkins-2-plugins-4.10.1684982411-1.el8.noarch.rpm
SHA-256: 7db9937d755e4139e9726d81014109a093a33fbdc57f09f9fdf8db011ce54c0d
python3-sushy-4.1.6-0.20230517173625.5490eb6.el8.noarch.rpm
SHA-256: 9c86e8aa5e287332b0aa8a516f0d642838ae1b21c9e1b69e4779ee82ed57f539
python3-sushy-tests-4.1.6-0.20230517173625.5490eb6.el8.noarch.rpm
SHA-256: 41cf92f300179c9fa6697639978cc7fc4b68330d8fb811531bb3fb68ac281c53
Red Hat OpenShift Container Platform 4.10 for RHEL 7
SRPM
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el7.src.rpm
SHA-256: 1bbdc4c12e1cf6403f2e5118ad21a4487ac2682299558e165d05a249742aceeb
x86_64
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64.rpm
SHA-256: 74a394d24e96f2bc7d99e3c329044766e0509cec1b752a391be2f6f3b504cd01
cri-o-debuginfo-1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64.rpm
SHA-256: 1bc2bc6d70a330f991cf1998248a00da4746ddf8641e2afec004370bfbb9683b
Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8
SRPM
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el8.src.rpm
SHA-256: 0a9e7371b1963ffa2f857e4217650e0b4921f9b03326c608ebef1abc59c0b584
jenkins-2-plugins-4.10.1684982411-1.el8.src.rpm
SHA-256: 85f40c5f19896ee02735f95b2d92a9a5b27c539aaf706590c0d9492bca55788e
python-sushy-4.1.6-0.20230517173625.5490eb6.el8.src.rpm
SHA-256: 848a3fa001498aa50483ade0bb14cfc034ee29181bd8383083363ae6b4fcbf1b
ppc64le
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le.rpm
SHA-256: a5ca804caeceb66fffb9b3ff6efe9fa6e0a291aa53bf9b22251e69454506b099
cri-o-debuginfo-1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le.rpm
SHA-256: 95ef92e91e7dc6dbac55438d1fdde6902c39d4a694080321eaf31c3c0e0aaeb7
cri-o-debugsource-1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le.rpm
SHA-256: e18a027d4006c940c7b2f77f9f3118a227965bfc633e3813f1dafdcccac3e5a8
jenkins-2-plugins-4.10.1684982411-1.el8.noarch.rpm
SHA-256: 7db9937d755e4139e9726d81014109a093a33fbdc57f09f9fdf8db011ce54c0d
python3-sushy-4.1.6-0.20230517173625.5490eb6.el8.noarch.rpm
SHA-256: 9c86e8aa5e287332b0aa8a516f0d642838ae1b21c9e1b69e4779ee82ed57f539
python3-sushy-tests-4.1.6-0.20230517173625.5490eb6.el8.noarch.rpm
SHA-256: 41cf92f300179c9fa6697639978cc7fc4b68330d8fb811531bb3fb68ac281c53
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8
SRPM
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el8.src.rpm
SHA-256: 0a9e7371b1963ffa2f857e4217650e0b4921f9b03326c608ebef1abc59c0b584
jenkins-2-plugins-4.10.1684982411-1.el8.src.rpm
SHA-256: 85f40c5f19896ee02735f95b2d92a9a5b27c539aaf706590c0d9492bca55788e
python-sushy-4.1.6-0.20230517173625.5490eb6.el8.src.rpm
SHA-256: 848a3fa001498aa50483ade0bb14cfc034ee29181bd8383083363ae6b4fcbf1b
s390x
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x.rpm
SHA-256: afdd5e0f7cd62131f450f8892af42dd288d7aa00d71ce120c019a3400c8ecb92
cri-o-debuginfo-1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x.rpm
SHA-256: e1d9461e2c6faf60dab926fa1e639461a8fe18a00921a5526e30a756c2593736
cri-o-debugsource-1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x.rpm
SHA-256: 685802af5fb2b0eb4c70ee951e843bbc36ce01354645e0b864f3fc68f7a7f33c
jenkins-2-plugins-4.10.1684982411-1.el8.noarch.rpm
SHA-256: 7db9937d755e4139e9726d81014109a093a33fbdc57f09f9fdf8db011ce54c0d
python3-sushy-4.1.6-0.20230517173625.5490eb6.el8.noarch.rpm
SHA-256: 9c86e8aa5e287332b0aa8a516f0d642838ae1b21c9e1b69e4779ee82ed57f539
python3-sushy-tests-4.1.6-0.20230517173625.5490eb6.el8.noarch.rpm
SHA-256: 41cf92f300179c9fa6697639978cc7fc4b68330d8fb811531bb3fb68ac281c53
Red Hat OpenShift Container Platform for ARM 64 4.10
SRPM
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el8.src.rpm
SHA-256: 0a9e7371b1963ffa2f857e4217650e0b4921f9b03326c608ebef1abc59c0b584
jenkins-2-plugins-4.10.1684982411-1.el8.src.rpm
SHA-256: 85f40c5f19896ee02735f95b2d92a9a5b27c539aaf706590c0d9492bca55788e
python-sushy-4.1.6-0.20230517173625.5490eb6.el8.src.rpm
SHA-256: 848a3fa001498aa50483ade0bb14cfc034ee29181bd8383083363ae6b4fcbf1b
aarch64
cri-o-1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64.rpm
SHA-256: 912c8203b0f394fab9a620711f3a55cfcead7ec2b73b56cdfcea9eb7039766fb
cri-o-debuginfo-1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64.rpm
SHA-256: 3688cd74b41ef3f2185cd50dfcbdd4f85db700b82ec22898538a4f73154251a0
cri-o-debugsource-1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64.rpm
SHA-256: 1e703b43a0701e687d59d853e964da31ab45c14d70c42a5de88481c4cb185bcf
jenkins-2-plugins-4.10.1684982411-1.el8.noarch.rpm
SHA-256: 7db9937d755e4139e9726d81014109a093a33fbdc57f09f9fdf8db011ce54c0d
python3-sushy-4.1.6-0.20230517173625.5490eb6.el8.noarch.rpm
SHA-256: 9c86e8aa5e287332b0aa8a516f0d642838ae1b21c9e1b69e4779ee82ed57f539
python3-sushy-tests-4.1.6-0.20230517173625.5490eb6.el8.noarch.rpm
SHA-256: 41cf92f300179c9fa6697639978cc7fc4b68330d8fb811531bb3fb68ac281c53
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-3527-03 - Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal. Issues addressed include buffer overflow, denial of service, integer overflow, memory leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2023-7697-03 - An update is now available for Red Hat AMQ Clients. Issues addressed include code execution, denial of service, deserialization, and resource exhaustion vulnerabilities.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Red Hat Security Advisory 2023-3915-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.44.
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2012-5783: It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or su...
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2048: A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests. * CVE-2022-22976: A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum wo...
Red Hat Security Advisory 2023-3641-01 - This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. Issues addressed include denial of service, deserialization, resource exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-3610-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, memory exhaustion, and resource exhaustion vulnerabilities.
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-29599: A flaw was found in the maven-shared-utils package. This issue allows a Command...
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
Red Hat Security Advisory 2023-3223-01 - Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements. Issues addressed include denial of service, deserialization, information leakage, memory exhaustion, and resource exhaustion vulnerabilities.
Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1370: A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such...
Red Hat Security Advisory 2023-2100-01 - This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include bypass, code execution, cross site scripting, denial of service, man-in-the-middle, memory exhaustion, resource exhaustion, and traversal vulnerabilities.
Red Hat Security Advisory 2023-2099-01 - A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include denial of service and resource exhaustion vulnerabilities.
A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1370: A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since ne...
Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37533: A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about service...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Ubuntu Security Notice 6011-1 - It was discovered that Json-smart incorrectly handled memory when processing input containing unclosed quotes. A remote attacker could possibly use this issue to cause applications using Json-smart to crash, leading to a denial of service. It was discovered that Json-smart incorrectly handled memory when processing input containing unclosed brackets. A remote attacker could possibly use this issue to cause applications using Json-smart to crash, leading to a denial of service.
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.