Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:3325: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates

Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem.
  • CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the sandbox. This vulnerability impacts the confidentiality, integrity, and availability of the system.
Red Hat Security Data
#vulnerability#red_hat#kubernetes#rce

Issued:

2023-05-25

Updated:

2023-05-25

RHSA-2023:3325 - Security Advisory

  • Overview
  • Updated Images

Synopsis

Critical: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates

Type/Severity

Security Advisory: Critical

Topic

Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

Description

Multicluster Engine for Kubernetes 2.1.7 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fix(es):

  • CVE-2023-32314 vm2: Sandbox Escape
  • CVE-2023-32313 vm2: Inspect Manipulation

Affected Products

  • multicluster engine for Kubernetes Text-only Advisories x86_64

Fixes

  • BZ - 2208376 - CVE-2023-32314 vm2: Sandbox Escape
  • BZ - 2208377 - CVE-2023-32313 vm2: Inspect Manipulation

CVEs

  • CVE-2022-2795
  • CVE-2022-2928
  • CVE-2022-2929
  • CVE-2022-36227
  • CVE-2022-41973
  • CVE-2023-0361
  • CVE-2023-27535
  • CVE-2023-32313
  • CVE-2023-32314

aarch64

multicluster-engine/agent-service-rhel8@sha256:db43d1fb61320d6699d91ca454488ba069e6c1e6250b402b2959feff5e292550

multicluster-engine/apiserver-network-proxy-rhel8@sha256:f9b7ea56cf323ae9edecda5a6fd291630ff7f6dd539745859a799ff6dbb58b2c

multicluster-engine/assisted-image-service-rhel8@sha256:578e67e0ff14413d9f3a59b6c6aad25053df2cf565ef12791e98a7c22a993790

multicluster-engine/assisted-installer-agent-rhel8@sha256:a93b37c356753914bdfd20136314b4e683dc4e02de0af3e92cd3edd23694bea4

multicluster-engine/assisted-installer-reporter-rhel8@sha256:26fe3c251dc4a26494c42041bae75a106bbe782978a9c91106f2c13023a2ea33

multicluster-engine/assisted-installer-rhel8@sha256:b57e977ca9ad7d93a30b32067b61139440db0094de4d77c22897b76114ffe2ca

multicluster-engine/aws-encryption-provider-rhel8@sha256:486d3de4f3a85553060e8bc588812b1771ee1f36a78daf0d39787e3c8d5a3b1a

multicluster-engine/backplane-rhel8-operator@sha256:0cca357d5173be4d0d7da059103e9ec9075d067472374d0b6892a299f3273e0e

multicluster-engine/cluster-api-provider-agent-rhel8@sha256:3609ca35d0539da77b810e22204e522a2945a1eb97050426168769623ef6ee09

multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:3609ca35d0539da77b810e22204e522a2945a1eb97050426168769623ef6ee09

multicluster-engine/cluster-api-provider-aws-rhel8@sha256:b54806acc3ade64d0f1d4423f3549035397fca0e7f5a73934ae0dc4d61bb742c

multicluster-engine/cluster-api-provider-azure-rhel8@sha256:68af04497e9827dcd77ca301127dff44b475c61a6b0d641762349e6ca20284fd

multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:5266ca5147770c1b297948330678e6d73a6b764cee34f26b327f91eeac409425

multicluster-engine/cluster-api-rhel8@sha256:1f23bb263707755283132ba1feb2f8db2ed2c13bfe047878888bcd18db809eb6

multicluster-engine/cluster-curator-controller-rhel8@sha256:afda92eef2cc497582877984ff01bf839100f479806d3cf55f12d118bc57b37b

multicluster-engine/cluster-proxy-addon-rhel8@sha256:054935d00433db70b14c867005b6163834dccd3b9030d52481d320021c45fa6f

multicluster-engine/cluster-proxy-rhel8@sha256:0e52f0650fafdadece5a7118a2b283660e9899a6e8c4a92466a489beac05d9d9

multicluster-engine/clusterclaims-controller-rhel8@sha256:f9ce7b2ec715f5a117a46c4f3d985e48160c9e255a235abb0046521f03b58eb8

multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:ed04e12e07001e41a5e9efaee393f7e2c083a2f6c9af870a8178738518acd35b

multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:9b761d2aadc18cd8eb261c839993d188d2758c7e48b74508a9634b2b2aeeeee1

multicluster-engine/console-mce-rhel8@sha256:9b761d2aadc18cd8eb261c839993d188d2758c7e48b74508a9634b2b2aeeeee1

multicluster-engine/discovery-rhel8@sha256:9a41ada48ca310e26dbcb06d353f591a9099552c0290f5ba6b73a168d843374d

multicluster-engine/hive-rhel8@sha256:8326bb61baca9a9b62a2fa000cdef3adcc9ec92ac2260ffe0952e46408457d33

multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:7aa3a3b8ae22277e1bce163fccbd4ec76921cb5e4c49cbe1f546280428d1c19f

multicluster-engine/hypershift-addon-rhel8-operator@sha256:7aa3a3b8ae22277e1bce163fccbd4ec76921cb5e4c49cbe1f546280428d1c19f

multicluster-engine/hypershift-deployment-controller-rhel8@sha256:b8feb1da56a74e16aa975273c843562b4ca7f7a98d01a15cd35014e3b437cc28

multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:b8feb1da56a74e16aa975273c843562b4ca7f7a98d01a15cd35014e3b437cc28

multicluster-engine/hypershift-rhel8-operator@sha256:d7af263bcbf9373f8f4230d058746b3646fe60b19ecfd1d05caff6045ab2ee02

multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:b63608269cbc88b4ef5caf8728e25f659a16d253c2f5e0049a9b7a56a5940faf

multicluster-engine/managed-serviceaccount-rhel8@sha256:b63608269cbc88b4ef5caf8728e25f659a16d253c2f5e0049a9b7a56a5940faf

multicluster-engine/managedcluster-import-controller-rhel8@sha256:c2a2fd8a598ab99abf995756f2a9c4d0ff7e0dccee49e284a4c378404f4df67e

multicluster-engine/multicloud-manager-rhel8@sha256:9d80009f56bb3f5cc9e551350c42f4a8a6b1e0a775fa6cace622a6e525617c12

multicluster-engine/must-gather-rhel8@sha256:442e5148cbd9b37df258c9f39fc8c45b9b8210bb99d20867e18283c8475a84f5

multicluster-engine/placement-rhel8@sha256:3809cb9468c640856871074a2d568bc79fcabd7afddd647b711cff5e70fbb71a

multicluster-engine/provider-credential-controller-rhel8@sha256:a5976a0db1f656246e0ce4c59827b92b82eb74adabdb2047d7908524cd3c7c57

multicluster-engine/registration-operator-rhel8@sha256:e579d3378ec872b1220e1d585df34bc71c0d221dd8b0f0e499dea913c4cef5cf

multicluster-engine/registration-rhel8@sha256:322396b61bc102f25a0b5260118dfc52496af8a595884a9ed8ef585ff146ba98

multicluster-engine/work-rhel8@sha256:4a33fc3fc20e48437eebf5a95f1fd57aae243b5e2b9e9c1ec23345377999ea34

ppc64le

multicluster-engine/agent-service-rhel8@sha256:d93a75e2d12da1ef8753ff91baa8d24726b0c30862f7834ebe154bd2d3550f4c

multicluster-engine/apiserver-network-proxy-rhel8@sha256:31b0085159c3caf1948286a2d83343af226534e6a6952459fa018899f53487f6

multicluster-engine/assisted-image-service-rhel8@sha256:f93ba76605ded2e61a1fe777841f71a1a20390a3b3cb8596940bd4ea2429bb51

multicluster-engine/assisted-installer-reporter-rhel8@sha256:1e3b06b33cdf29c9fd4417b87720f6af47a1b58384142253d36dca8f89f86e73

multicluster-engine/assisted-installer-rhel8@sha256:b80ff9ae40c31ddb4e4ff789caec9c83fcd5a42a2ccdcaccf7f1fead5a874541

multicluster-engine/aws-encryption-provider-rhel8@sha256:ceea64a64682ee9c500dfc0623b31297f721f9044e514a5945109dd109604571

multicluster-engine/backplane-rhel8-operator@sha256:5735436271bdfb6138c604a58c28949f6c883a8daade981505a591954426347c

multicluster-engine/cluster-api-provider-agent-rhel8@sha256:9585794260a226054030ed78ac3a6431db95cd65cee173ef95121f28a1e6d801

multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:9585794260a226054030ed78ac3a6431db95cd65cee173ef95121f28a1e6d801

multicluster-engine/cluster-api-provider-aws-rhel8@sha256:021f943d8a33be6f296abcd661d0711c5bfbc45727d36f7b84cef7ed5283e6e7

multicluster-engine/cluster-api-provider-azure-rhel8@sha256:6216b642abd086e02d8e46b9ec3410ff90d4d8a21f44aaf9618faae7fffdc634

multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:e6d6d9b62baa0a89eb4b7ced4ca4bc4d1cfa6d2a6122ba52d083c720359ec7f3

multicluster-engine/cluster-api-rhel8@sha256:b7c0c5bc2351b2e1d17e27610a3569592a94eb781d5f19cf54a7c82f733fb9dd

multicluster-engine/cluster-curator-controller-rhel8@sha256:7cf34ac4384e2b63ffa41f5731ae6ca5326514af3003f32a53de0c8179e9fab1

multicluster-engine/cluster-proxy-addon-rhel8@sha256:b21fbf89c2ea5673daf74bdc39f7f5e714c2894b674fc29413fe45b587b823ee

multicluster-engine/cluster-proxy-rhel8@sha256:8b2cfc58ded2ce07ccdd54a2c0255465be5941b52a9b4fac8447a9e9e3a4bebb

multicluster-engine/clusterclaims-controller-rhel8@sha256:21b9bdc110822e8a907d37223aee9f16d156d80d7acfd265edf3bf7429133102

multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:d4fe23c8fb4ce55fb03fdf9c915d4e6393a3a61af7b1861a8c0ce6308e16b348

multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:66e76d15b07a6fe56e2d4eb087c571487004e36956ba815e8b4b3fc996942147

multicluster-engine/console-mce-rhel8@sha256:66e76d15b07a6fe56e2d4eb087c571487004e36956ba815e8b4b3fc996942147

multicluster-engine/discovery-rhel8@sha256:c7c82f9bf08b6c3bc3c188764969b7d3a79b1fe4aa5b7e4af16f90ebe5ca91b2

multicluster-engine/hive-rhel8@sha256:d0ff897165e69d4ad3ccde259fbd73471536cb79666697d29069a811ba29459d

multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:65ba5917673db69518cf565e2a6878a74bc9e3d4a22e68a63d8698af597f5c80

multicluster-engine/hypershift-addon-rhel8-operator@sha256:65ba5917673db69518cf565e2a6878a74bc9e3d4a22e68a63d8698af597f5c80

multicluster-engine/hypershift-deployment-controller-rhel8@sha256:af1e669feebcfbab3eca937ed8f006d485e2d1df5674ee27c76fc40e18ebdf0e

multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:af1e669feebcfbab3eca937ed8f006d485e2d1df5674ee27c76fc40e18ebdf0e

multicluster-engine/hypershift-rhel8-operator@sha256:588ecfb58d8035365b726feb4dd831f1b0a8720a2a061cb1351aa4288e5b287b

multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:bbce9dceca5707e74c9ae630ded1aef7847b9e1084c8b53657bb2730981d496f

multicluster-engine/managed-serviceaccount-rhel8@sha256:bbce9dceca5707e74c9ae630ded1aef7847b9e1084c8b53657bb2730981d496f

multicluster-engine/managedcluster-import-controller-rhel8@sha256:f8974d091a0429bb2110c3a98afc17b7e27c842281420374c8b706dbce6e0daf

multicluster-engine/mce-operator-bundle@sha256:055c406010077fd498027724804b4f92c13c3e64a03644ca6075c6ac539151cc

multicluster-engine/multicloud-manager-rhel8@sha256:697f5a05986fde638b3d7c65aeedd189f0886fdee018a8ebd9537ca985ed04d8

multicluster-engine/must-gather-rhel8@sha256:4d5825cc6a5bfadbabc5ad8c860893f10da9bf4652931ec58224689154602ff2

multicluster-engine/placement-rhel8@sha256:946718d53c99034561f1adb2e9af4a8218515540d8b17bb83dfe9d18e917c329

multicluster-engine/provider-credential-controller-rhel8@sha256:2696b9b660e2708a7e791c12cd2831aaf20d8cdd9680e943bc8772c83224c548

multicluster-engine/registration-operator-rhel8@sha256:a248bbe30bfaa1e0dd2b7389e3eeba19ea882d02491ede189fd8ca16db9c3a44

multicluster-engine/registration-rhel8@sha256:25bc554d439ff0940925e1fa89b5f78cfb608a209c179f58c4ee875270433bc7

multicluster-engine/work-rhel8@sha256:580c1e29b3e8f65290d2a96948e6f93865a75c1ee620110e25d0346a22a68c8f

s390x

multicluster-engine/agent-service-rhel8@sha256:b75f4014ac24863dd2f8b8e1e0078a68c47226a7223006443a707b98b90009d3

multicluster-engine/apiserver-network-proxy-rhel8@sha256:00259f14858cd4d7169a7fa6093854c8ba99b207b1cd9325dad7a166ddc1b60d

multicluster-engine/assisted-image-service-rhel8@sha256:b8e462f1a92e550fe3ee2a502ca0c33a1d43633adb3b25e4895656e33bd09c7a

multicluster-engine/aws-encryption-provider-rhel8@sha256:aa5ccd487c65a3470f1a089e5873be1c4cac0ae94324c48b6d071e314401c7d1

multicluster-engine/backplane-rhel8-operator@sha256:2fc94ba72f5bcc8a5ed30c359859d1de39298002fac363c9ea6e5c693fea09b7

multicluster-engine/cluster-api-provider-agent-rhel8@sha256:93394a5148a8e51ccada81760131a39956ba87350cf7fbf0600608c1d5898a57

multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:93394a5148a8e51ccada81760131a39956ba87350cf7fbf0600608c1d5898a57

multicluster-engine/cluster-api-provider-aws-rhel8@sha256:a5ee856fa8d146ee21be00dda41e4be6d3ea27ae88a9eda49ccdc26b97e4ea37

multicluster-engine/cluster-api-provider-azure-rhel8@sha256:24ebe960af380725f3f9916520b5114fbec3aa49845de53f90543e4a89fb52fd

multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:f9741a0a81fbeeedf723f39695a5f1b6151fa9fe8aa00a176c599617636d7272

multicluster-engine/cluster-api-rhel8@sha256:4bcac22cfe737142fff36a04a9f5c5b420dadc774a7c53dd1096a692cca9ab74

multicluster-engine/cluster-curator-controller-rhel8@sha256:865ca6d19083d0ed1db86a159a305cdd64b15261b7cd7c4387419d3db8c51d96

multicluster-engine/cluster-proxy-addon-rhel8@sha256:aeb5e51d99b27c39552cad944d37b9598b7040f15b8dac3f7a3fcc822dfc4840

multicluster-engine/cluster-proxy-rhel8@sha256:6d3e381c643e32490b4d66b39eb23f2acbfae132bec4265182a0ddcdb0d9cfd6

multicluster-engine/clusterclaims-controller-rhel8@sha256:b20973adb70edb774f9853ac8b63fb154f762716c311a06a029a3807c9117caf

multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:c8975cb6d4d6490ac29d0b7a108332f75310abfb9ead929d27440e020550b4ff

multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:308c1e57ff087af046c33cd3b12d7acacad4097995bc0b7e1125038321ee4614

multicluster-engine/console-mce-rhel8@sha256:308c1e57ff087af046c33cd3b12d7acacad4097995bc0b7e1125038321ee4614

multicluster-engine/discovery-rhel8@sha256:53962002c320742fc6339daaec7c9e59287bb957d101f6d2983b6cde9da44022

multicluster-engine/hive-rhel8@sha256:254947f2b0180e81822db22f589033aab32a332d2dd1072063d286ff28c3ba25

multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:9620cff0611ee81540091190ca80237fc9b83a87b3ccafa82dc41313ee20f778

multicluster-engine/hypershift-addon-rhel8-operator@sha256:9620cff0611ee81540091190ca80237fc9b83a87b3ccafa82dc41313ee20f778

multicluster-engine/hypershift-deployment-controller-rhel8@sha256:d502b01d703497364707e74f7ff2960e40d94c6f0a1750efa7449eca5190cfd0

multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:d502b01d703497364707e74f7ff2960e40d94c6f0a1750efa7449eca5190cfd0

multicluster-engine/hypershift-rhel8-operator@sha256:17b06a8a46e96b0488982ea9b52e50f219e583454c0ce8c21120089eec0b3d34

multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:0835793784452ffb946c1f1865dc67ff91863a9f58370add5d27fafc2fa47fb1

multicluster-engine/managed-serviceaccount-rhel8@sha256:0835793784452ffb946c1f1865dc67ff91863a9f58370add5d27fafc2fa47fb1

multicluster-engine/managedcluster-import-controller-rhel8@sha256:7f570e6324a0ded0af3141224aa7503125a5d08ea8275410e2ab0c39bc78b56f

multicluster-engine/mce-operator-bundle@sha256:8eba080c647dc14caff456bb21dd3759df2dfdbd4b64bb4532a7921442a94aa5

multicluster-engine/multicloud-manager-rhel8@sha256:4d5c7a6c0d8f1315cef10e83f0059fa842ee05d1bb7c2d262ab7c6f94a731da9

multicluster-engine/must-gather-rhel8@sha256:36ac43aab0989ca8672f2bb3147116ae8ba982e42dfaa7a43d75818267d06559

multicluster-engine/placement-rhel8@sha256:a08529cd5a93957b1c77ca30a86252edff945f621f4649447a3fb82ca2b066e4

multicluster-engine/provider-credential-controller-rhel8@sha256:098cf691eb34a5cde1e4104210b40be8c223bc15375034a5b5b6ce7689857c77

multicluster-engine/registration-operator-rhel8@sha256:9fd016ea2076eb131b3c1cb4597e2d6a0bb250a30c24ddf365225ea5d5021d2f

multicluster-engine/registration-rhel8@sha256:3bc64facd3c603cff09ac93dd21a228be46ab7eae15129ed4102affc444e519c

multicluster-engine/work-rhel8@sha256:fe24c34749d1a15d328212e7ebfa7df1ba88985a22ea7e817a48ada7d56b6388

x86_64

multicluster-engine/agent-service-rhel8@sha256:2a992f97046e52ea32763271336851b71369dbc95d689336b5b5a52cb7c928bd

multicluster-engine/apiserver-network-proxy-rhel8@sha256:c5d5a800f31f3f9f33464a7cc521a39ac946bedd79f3a5bb3f5fcf751a9b29f5

multicluster-engine/assisted-image-service-rhel8@sha256:d353cebf46b8034aeba32c10e123ce4244270c71660a3fd0d525b40122795b66

multicluster-engine/assisted-installer-agent-rhel8@sha256:778ec121e67297d069451b120508b2342bc1167940e8788d428e48a882fc6263

multicluster-engine/assisted-installer-reporter-rhel8@sha256:37a4babca63cd60453bf4ccb165744e7539c6dfb25c1f2afa52cdab2e5d3b9e3

multicluster-engine/assisted-installer-rhel8@sha256:8da020b6b0b843ec660e8c671e5e8dc9dc3574c54b287dbacf291341ee33c938

multicluster-engine/aws-encryption-provider-rhel8@sha256:2abb443f0d341949d813f3e6459e7ccfa290a52756b466c7cdf90864c7e24872

multicluster-engine/backplane-rhel8-operator@sha256:5a4788044e0424ef01978de584612ead6d85d12e3e730a319dbe2b420809d224

multicluster-engine/cluster-api-provider-agent-rhel8@sha256:08097b3a1cfc85ae7d64954b317d5167f42a0642e3d07f9dbb0639935d51de33

multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:08097b3a1cfc85ae7d64954b317d5167f42a0642e3d07f9dbb0639935d51de33

multicluster-engine/cluster-api-provider-aws-rhel8@sha256:57534485ca6f0c456e17bf41acb2b219692348acc17f44717e01c77947f3e719

multicluster-engine/cluster-api-provider-azure-rhel8@sha256:d7928cef2050b103bf1677f668d0ec68e96f61b57d905cdf903dba9c128f87cc

multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:326050fd51a0e23aea155a88b4ddecf34865ddabe5dda65a105607ffefe2324b

multicluster-engine/cluster-api-rhel8@sha256:e21249d9a8329f681da42ae60148bd6e7fe853968b827bf39f294afc6ca92dbc

multicluster-engine/cluster-curator-controller-rhel8@sha256:67ca6e928e6d1af04b033a4a624df0424d8db7f0bc0893a40bbc9ab270629b6c

multicluster-engine/cluster-proxy-addon-rhel8@sha256:2da49b15d328ae422f2941fcf0f91aa7f203de910d524b0d0ee84247169f5608

multicluster-engine/cluster-proxy-rhel8@sha256:37595d40522bf344b618a3bf83f6c9e5cec41910a4eae17861bbc4ac848d171b

multicluster-engine/clusterclaims-controller-rhel8@sha256:5db16c2474a6ca936113b3df5753d1dc315de604a5666669798e18f9eaf9cc97

multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:eae2b60419b93c5e811420ec6df97754c6f58ab6509cf4faa76503188540709f

multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:ee026b338bee24d332142df6399961abb97fa4065c7482780058b7a32b7cec67

multicluster-engine/console-mce-rhel8@sha256:ee026b338bee24d332142df6399961abb97fa4065c7482780058b7a32b7cec67

multicluster-engine/discovery-rhel8@sha256:c3c8e688b41497f31484d9900d3d4c554145044f736da5c70531d6f0ebb7060b

multicluster-engine/hive-rhel8@sha256:439bf8f6c81c9f3ea895fee4cf4fa4b19106cf01ffa53916839c1880c3623f91

multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:d59b433b5db97acbd3fef84ffba2488e8825c26f9c309862be3a4617c4916f1d

multicluster-engine/hypershift-addon-rhel8-operator@sha256:d59b433b5db97acbd3fef84ffba2488e8825c26f9c309862be3a4617c4916f1d

multicluster-engine/hypershift-deployment-controller-rhel8@sha256:c185b5c73eca080e400ac6c9a1b877f7df6b747ba35c2ecbcf606c7262d3d9ed

multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:c185b5c73eca080e400ac6c9a1b877f7df6b747ba35c2ecbcf606c7262d3d9ed

multicluster-engine/hypershift-rhel8-operator@sha256:a097c5e36aa59f5817fd66064149c07e72916e77b7b16e6f340110179b843973

multicluster-engine/klusterlet-operator-bundle@sha256:b45a2773beb166566e44ed36e1039208bd28683251563d5989884fbb884bbf11

multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:a6930f76e5d33e59f959ddd5b869b9efc0bf0fe195abe0350a3012995de3e3da

multicluster-engine/managed-serviceaccount-rhel8@sha256:a6930f76e5d33e59f959ddd5b869b9efc0bf0fe195abe0350a3012995de3e3da

multicluster-engine/managedcluster-import-controller-rhel8@sha256:2e2bb37f25c89f1f3a0faf7c726d2c935dfc9d7d81fa526329ab183af70666ea

multicluster-engine/mce-operator-bundle@sha256:c1af78da9d78d0911886fee4fccd77a64127f3b1e64c32d9c3b405799f0de6d1

multicluster-engine/multicloud-manager-rhel8@sha256:12d55e58de8282f6130409a4b089b278c4ccd5e0bb5948f7f4f2444e7d285033

multicluster-engine/must-gather-rhel8@sha256:ed93418db47a78aab46c65bd0cd2878f2e4254be2fb0427aa566a51a2edd307d

multicluster-engine/placement-rhel8@sha256:dc174ebe59c11e1a874ab59c3d34afd8e51f95a48b52ef27e84c31df66aec0b8

multicluster-engine/provider-credential-controller-rhel8@sha256:30fedfc6551bc4c646057558f6fcd132da6aeaead1ab6203aca0acbefc5b60e8

multicluster-engine/registration-operator-rhel8@sha256:de0c8a1be947fceb8d38063ba92503a5cee0b347a160a35987ef753e9f955a97

multicluster-engine/registration-rhel8@sha256:526ce18fa628e4ae4208c35fe7c4814e8e41266314d0e1f6fab7e9fcdf95e11d

multicluster-engine/work-rhel8@sha256:40148e621784fbe4950c001bfef12a8108b3a0ffec03a2e01967c7c203676ea8

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Ubuntu Security Notice USN-7070-1

Ubuntu Security Notice 7070-1 - It was discovered that libarchive mishandled certain memory checks, which could result in a NULL pointer dereference. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that libarchive mishandled certain memory operations, which could result in an out-of-bounds memory access. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.

Gentoo Linux Security Advisory 202309-14

Gentoo Linux Security Advisory 202309-14 - Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service. Versions greater than or equal to 3.7.1 are affected.

RHSA-2023:4657: Red Hat Security Advisory: Secondary Scheduler Operator for Red Hat OpenShift 1.1.2 security update

Secondary Scheduler Operator for Red Hat OpenShift 1.1.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24532: A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh. * CVE-2023-24534: A flaw was found in Golang Go...

Red Hat Security Advisory 2023-4575-01

Red Hat Security Advisory 2023-4575-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.

RHSA-2023:4335: Red Hat Security Advisory: Security Update for cert-manager Operator for Red Hat OpenShift 1.10.3

cert-manager Operator for Red Hat OpenShift 1.10.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specia...

Red Hat Security Advisory 2023-4488-01

Red Hat Security Advisory 2023-4488-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

RHSA-2023:4475: Red Hat Security Advisory: Gatekeeper Operator v0.2 security fixes and enhancements

Gatekeeper Operator v0.2 security fixes and enhancements Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

Red Hat Security Advisory 2023-4238-01

Red Hat Security Advisory 2023-4238-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

RHSA-2023:4091: Red Hat Security Advisory: OpenShift Container Platform 4.13.5 security update

Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server c...

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

RHSA-2023:4114: Red Hat Security Advisory: Red Hat OpenShift Service Mesh Containers for 2.4.1 security update

Red Hat OpenShift Service Mesh 2.4.1 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

RHSA-2023:3918: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.5 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.5 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in H...

Red Hat Security Advisory 2023-3813-01

Red Hat Security Advisory 2023-3813-01 - An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8.

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

Red Hat Security Advisory 2023-3664-01

Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.

Red Hat Security Advisory 2023-3644-01

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-3645-01

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3624-01

Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3609-01

Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

RHSA-2023:3644: Red Hat Security Advisory: Red Hat OpenShift Service Mesh Containers for 2.4.0

Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

RHSA-2023:3609: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.4 security and Bug Fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.4 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties.

Red Hat Security Advisory 2023-3495-01

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

RHSA-2023:3495: Red Hat Security Advisory: Logging Subsystem 5.7.2 - Red Hat OpenShift security update

Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...

RHSA-2023:3455: Red Hat Security Advisory: Release of OpenShift Serverless 1.29.0

OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...

Red Hat Security Advisory 2023-3379-01

Red Hat Security Advisory 2023-3379-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. This release of RHACS includes a fix for CVE-2023-24540 by building RHACS with updated Golang.

Red Hat Security Advisory 2023-3356-01

Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

RHSA-2023:3435: Red Hat Security Advisory: Red Hat Advanced Cluster Security 3.74 for Kubernetes security update

An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted inpu...

CVE-2023-28043: DSA-2023-164: Dell Secure Connect Gateway Security Update for Multiple Vulnerabilities

Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.

RHSA-2023:3373: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...

RHSA-2023:3379: Red Hat Security Advisory: Red Hat Advanced Cluster Security for Kubernetes 3.73 security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...

RHSA-2023:3353: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.9 security fixes and container updates

Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host o...

Red Hat Security Advisory 2023-3326-01

Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

RHSA-2023:3297: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.4 security fixes and container updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...

RHSA-2023:3297: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.4 security fixes and container updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...

RHSA-2023:3297: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.4 security fixes and container updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...

RHSA-2023:3297: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.4 security fixes and container updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3265: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...

RHSA-2023:3265: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...

CVE-2023-23694: DSA-2023-071: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities – 7.0.450

Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

RHSA-2023:1326: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 security update

Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...

GHSA-p5gc-c584-jj6v: vm2 vulnerable to Inspect Manipulation

In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. ### Impact A threat actor can edit options for `console.log`. ### Patches This vulnerability was patched in the release of version `3.9.18` of `vm2`. ### Workarounds After creating a vm make the `inspect` method readonly with `vm.readonly(inspect)`. ### References PoC - https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550 ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.

Red Hat Security Advisory 2023-2948-01

Red Hat Security Advisory 2023-2948-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include an insecure handling vulnerability.

RHSA-2023:3106: Red Hat Security Advisory: curl security and bug fix update

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERN...

RHSA-2023:3018: Red Hat Security Advisory: libarchive security update

An update for libarchive is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36227: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.

RHSA-2023:3000: Red Hat Security Advisory: dhcp security and bug fix update

An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...

RHSA-2023:3000: Red Hat Security Advisory: dhcp security and bug fix update

An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...

RHSA-2023:2792: Red Hat Security Advisory: bind9.16 security and bug fix update

An update for bind9.16 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * CVE-2022-3094: A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large am...

GHSA-whpj-8f3w-67p5: vm2 Sandbox Escape vulnerability

A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. ### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.18` of `vm2`. ### Workarounds None. ### References PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.

CVE-2023-32314: Sandbox Escape in [email protected]

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-32313: Inspect method should be readonly · patriksimek/vm2@5206ba2

vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.

RHSA-2023:2710: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.3 for OpenShift image security update

A new image is available for Red Hat Single Sign-On 7.6.3, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-0341: In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction...

Red Hat Security Advisory 2023-2502-01

Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2023-2502-01

Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.

RHSA-2023:2650: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERN...

RHSA-2023:2532: Red Hat Security Advisory: libarchive security update

An update for libarchive is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36227: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.

RHSA-2023:2459: Red Hat Security Advisory: device-mapper-multipath security and bug fix update

An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41973: A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of th...

RHSA-2023:2502: Red Hat Security Advisory: dhcp security and enhancement update

An update for dhcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...

RHSA-2023:2502: Red Hat Security Advisory: dhcp security and enhancement update

An update for dhcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...

Red Hat Security Advisory 2023-2104-01

Red Hat Security Advisory 2023-2104-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.

RHSA-2023:2107: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...

RHSA-2023:2104: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5.8 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

Gentoo Linux Security Advisory 202305-22

Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.

Gentoo Linux Security Advisory 202305-22

Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.

RHSA-2023:2098: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.8 security updates and bug fixes

Multicluster Engine for Kubernetes 2.0.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

RHSA-2023:2083: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.5 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...

RHSA-2023:2023: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.11.7 Bug Fix and security update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.7 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40186: A flaw was found in HashiCorp Vault and Vault Enterprise, where they could allow a locally authenticated attacker to gain unauthorized access to the system, caused by a flaw in the alias naming schema implementation for mount accessors with shared alias n...

CVE-2023-27535

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Ubuntu Security Notice USN-5964-1

Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.

Red Hat Security Advisory 2023-1200-01

Red Hat Security Advisory 2023-1200-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.

RHSA-2023:1200: Red Hat Security Advisory: gnutls security and bug fix update

An update for gnutls is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially...

Debian Security Advisory 5366-1

Debian Linux Security Advisory 5366-1 - The Qualys Research Labs reported an authorization bypass (CVE-2022-41974) and a symlink attack (CVE-2022-41973) in multipath-tools, a set of tools to drive the Device Mapper multipathing driver, which may result in local privilege escalation.

Red Hat Security Advisory 2023-0402-01

Red Hat Security Advisory 2023-0402-01 - An update for bind is now available for Red Hat Enterprise Linux 7.

RHSA-2023:0402: Red Hat Security Advisory: bind security update

An update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-25220: bind: DNS forwarders - cache poisoning vulnerability * CVE-2022-2795: bind: processing large delegations may severely degrade resolver performance

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

snap-confine must_mkdir_and_open_with_perms() Race Condition

Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).

Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems

The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "

Ubuntu Security Notice USN-5658-3

Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.

Ubuntu Security Notice USN-5658-3

Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.

CVE-2022-36227: There is a NULL pointer dereference vulnerability · Issue #1754 · libarchive/libarchive

In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.

Ubuntu Security Notice USN-5731-1

Ubuntu Security Notice 5731-1 - It was discovered that multipath-tools incorrectly handled symlinks. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that multipath-tools incorrectly handled access controls. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges.

Leeloo Multipath Authorization Bypass / Symlink Attack

The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.

CVE-2022-41973: Release 0.9.2: Merge pull request #46 from openSUSE/queue · opensvc/multipath-tools

multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.

CVE-2022-2929: CVE-2022-2929 DHCP memory leak

In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.

CVE-2022-2928: CVE-2022-2928 An option refcount overflow exists in dhcpd

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

Ubuntu Security Notice USN-5658-1

Ubuntu Security Notice 5658-1 - It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service.

Ubuntu Security Notice USN-5658-1

Ubuntu Security Notice 5658-1 - It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service.

Ubuntu Security Notice USN-5626-2

Ubuntu Security Notice 5626-2 - USN-5626-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service.

Ubuntu Security Notice USN-5626-1

Ubuntu Security Notice 5626-1 - Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service. It was discovered that Bind incorrectly handled statistics requests. A remote attacker could possibly use this issue to obtain sensitive memory contents, or cause a denial of service. This issue only affected Ubuntu 22.04 LTS.

CVE-2022-2795: CVE-2022-2795: Processing large delegations may severely degrade resolver performance - Security Advisories

By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.