Headline
RHSA-2023:3325: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem.
- CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the sandbox. This vulnerability impacts the confidentiality, integrity, and availability of the system.
Issued:
2023-05-25
Updated:
2023-05-25
RHSA-2023:3325 - Security Advisory
- Overview
- Updated Images
Synopsis
Critical: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates
Type/Severity
Security Advisory: Critical
Topic
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Description
Multicluster Engine for Kubernetes 2.1.7 images
Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.
You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.
Security fix(es):
- CVE-2023-32314 vm2: Sandbox Escape
- CVE-2023-32313 vm2: Inspect Manipulation
Affected Products
- multicluster engine for Kubernetes Text-only Advisories x86_64
Fixes
- BZ - 2208376 - CVE-2023-32314 vm2: Sandbox Escape
- BZ - 2208377 - CVE-2023-32313 vm2: Inspect Manipulation
CVEs
- CVE-2022-2795
- CVE-2022-2928
- CVE-2022-2929
- CVE-2022-36227
- CVE-2022-41973
- CVE-2023-0361
- CVE-2023-27535
- CVE-2023-32313
- CVE-2023-32314
aarch64
multicluster-engine/agent-service-rhel8@sha256:db43d1fb61320d6699d91ca454488ba069e6c1e6250b402b2959feff5e292550
multicluster-engine/apiserver-network-proxy-rhel8@sha256:f9b7ea56cf323ae9edecda5a6fd291630ff7f6dd539745859a799ff6dbb58b2c
multicluster-engine/assisted-image-service-rhel8@sha256:578e67e0ff14413d9f3a59b6c6aad25053df2cf565ef12791e98a7c22a993790
multicluster-engine/assisted-installer-agent-rhel8@sha256:a93b37c356753914bdfd20136314b4e683dc4e02de0af3e92cd3edd23694bea4
multicluster-engine/assisted-installer-reporter-rhel8@sha256:26fe3c251dc4a26494c42041bae75a106bbe782978a9c91106f2c13023a2ea33
multicluster-engine/assisted-installer-rhel8@sha256:b57e977ca9ad7d93a30b32067b61139440db0094de4d77c22897b76114ffe2ca
multicluster-engine/aws-encryption-provider-rhel8@sha256:486d3de4f3a85553060e8bc588812b1771ee1f36a78daf0d39787e3c8d5a3b1a
multicluster-engine/backplane-rhel8-operator@sha256:0cca357d5173be4d0d7da059103e9ec9075d067472374d0b6892a299f3273e0e
multicluster-engine/cluster-api-provider-agent-rhel8@sha256:3609ca35d0539da77b810e22204e522a2945a1eb97050426168769623ef6ee09
multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:3609ca35d0539da77b810e22204e522a2945a1eb97050426168769623ef6ee09
multicluster-engine/cluster-api-provider-aws-rhel8@sha256:b54806acc3ade64d0f1d4423f3549035397fca0e7f5a73934ae0dc4d61bb742c
multicluster-engine/cluster-api-provider-azure-rhel8@sha256:68af04497e9827dcd77ca301127dff44b475c61a6b0d641762349e6ca20284fd
multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:5266ca5147770c1b297948330678e6d73a6b764cee34f26b327f91eeac409425
multicluster-engine/cluster-api-rhel8@sha256:1f23bb263707755283132ba1feb2f8db2ed2c13bfe047878888bcd18db809eb6
multicluster-engine/cluster-curator-controller-rhel8@sha256:afda92eef2cc497582877984ff01bf839100f479806d3cf55f12d118bc57b37b
multicluster-engine/cluster-proxy-addon-rhel8@sha256:054935d00433db70b14c867005b6163834dccd3b9030d52481d320021c45fa6f
multicluster-engine/cluster-proxy-rhel8@sha256:0e52f0650fafdadece5a7118a2b283660e9899a6e8c4a92466a489beac05d9d9
multicluster-engine/clusterclaims-controller-rhel8@sha256:f9ce7b2ec715f5a117a46c4f3d985e48160c9e255a235abb0046521f03b58eb8
multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:ed04e12e07001e41a5e9efaee393f7e2c083a2f6c9af870a8178738518acd35b
multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:9b761d2aadc18cd8eb261c839993d188d2758c7e48b74508a9634b2b2aeeeee1
multicluster-engine/console-mce-rhel8@sha256:9b761d2aadc18cd8eb261c839993d188d2758c7e48b74508a9634b2b2aeeeee1
multicluster-engine/discovery-rhel8@sha256:9a41ada48ca310e26dbcb06d353f591a9099552c0290f5ba6b73a168d843374d
multicluster-engine/hive-rhel8@sha256:8326bb61baca9a9b62a2fa000cdef3adcc9ec92ac2260ffe0952e46408457d33
multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:7aa3a3b8ae22277e1bce163fccbd4ec76921cb5e4c49cbe1f546280428d1c19f
multicluster-engine/hypershift-addon-rhel8-operator@sha256:7aa3a3b8ae22277e1bce163fccbd4ec76921cb5e4c49cbe1f546280428d1c19f
multicluster-engine/hypershift-deployment-controller-rhel8@sha256:b8feb1da56a74e16aa975273c843562b4ca7f7a98d01a15cd35014e3b437cc28
multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:b8feb1da56a74e16aa975273c843562b4ca7f7a98d01a15cd35014e3b437cc28
multicluster-engine/hypershift-rhel8-operator@sha256:d7af263bcbf9373f8f4230d058746b3646fe60b19ecfd1d05caff6045ab2ee02
multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:b63608269cbc88b4ef5caf8728e25f659a16d253c2f5e0049a9b7a56a5940faf
multicluster-engine/managed-serviceaccount-rhel8@sha256:b63608269cbc88b4ef5caf8728e25f659a16d253c2f5e0049a9b7a56a5940faf
multicluster-engine/managedcluster-import-controller-rhel8@sha256:c2a2fd8a598ab99abf995756f2a9c4d0ff7e0dccee49e284a4c378404f4df67e
multicluster-engine/multicloud-manager-rhel8@sha256:9d80009f56bb3f5cc9e551350c42f4a8a6b1e0a775fa6cace622a6e525617c12
multicluster-engine/must-gather-rhel8@sha256:442e5148cbd9b37df258c9f39fc8c45b9b8210bb99d20867e18283c8475a84f5
multicluster-engine/placement-rhel8@sha256:3809cb9468c640856871074a2d568bc79fcabd7afddd647b711cff5e70fbb71a
multicluster-engine/provider-credential-controller-rhel8@sha256:a5976a0db1f656246e0ce4c59827b92b82eb74adabdb2047d7908524cd3c7c57
multicluster-engine/registration-operator-rhel8@sha256:e579d3378ec872b1220e1d585df34bc71c0d221dd8b0f0e499dea913c4cef5cf
multicluster-engine/registration-rhel8@sha256:322396b61bc102f25a0b5260118dfc52496af8a595884a9ed8ef585ff146ba98
multicluster-engine/work-rhel8@sha256:4a33fc3fc20e48437eebf5a95f1fd57aae243b5e2b9e9c1ec23345377999ea34
ppc64le
multicluster-engine/agent-service-rhel8@sha256:d93a75e2d12da1ef8753ff91baa8d24726b0c30862f7834ebe154bd2d3550f4c
multicluster-engine/apiserver-network-proxy-rhel8@sha256:31b0085159c3caf1948286a2d83343af226534e6a6952459fa018899f53487f6
multicluster-engine/assisted-image-service-rhel8@sha256:f93ba76605ded2e61a1fe777841f71a1a20390a3b3cb8596940bd4ea2429bb51
multicluster-engine/assisted-installer-reporter-rhel8@sha256:1e3b06b33cdf29c9fd4417b87720f6af47a1b58384142253d36dca8f89f86e73
multicluster-engine/assisted-installer-rhel8@sha256:b80ff9ae40c31ddb4e4ff789caec9c83fcd5a42a2ccdcaccf7f1fead5a874541
multicluster-engine/aws-encryption-provider-rhel8@sha256:ceea64a64682ee9c500dfc0623b31297f721f9044e514a5945109dd109604571
multicluster-engine/backplane-rhel8-operator@sha256:5735436271bdfb6138c604a58c28949f6c883a8daade981505a591954426347c
multicluster-engine/cluster-api-provider-agent-rhel8@sha256:9585794260a226054030ed78ac3a6431db95cd65cee173ef95121f28a1e6d801
multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:9585794260a226054030ed78ac3a6431db95cd65cee173ef95121f28a1e6d801
multicluster-engine/cluster-api-provider-aws-rhel8@sha256:021f943d8a33be6f296abcd661d0711c5bfbc45727d36f7b84cef7ed5283e6e7
multicluster-engine/cluster-api-provider-azure-rhel8@sha256:6216b642abd086e02d8e46b9ec3410ff90d4d8a21f44aaf9618faae7fffdc634
multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:e6d6d9b62baa0a89eb4b7ced4ca4bc4d1cfa6d2a6122ba52d083c720359ec7f3
multicluster-engine/cluster-api-rhel8@sha256:b7c0c5bc2351b2e1d17e27610a3569592a94eb781d5f19cf54a7c82f733fb9dd
multicluster-engine/cluster-curator-controller-rhel8@sha256:7cf34ac4384e2b63ffa41f5731ae6ca5326514af3003f32a53de0c8179e9fab1
multicluster-engine/cluster-proxy-addon-rhel8@sha256:b21fbf89c2ea5673daf74bdc39f7f5e714c2894b674fc29413fe45b587b823ee
multicluster-engine/cluster-proxy-rhel8@sha256:8b2cfc58ded2ce07ccdd54a2c0255465be5941b52a9b4fac8447a9e9e3a4bebb
multicluster-engine/clusterclaims-controller-rhel8@sha256:21b9bdc110822e8a907d37223aee9f16d156d80d7acfd265edf3bf7429133102
multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:d4fe23c8fb4ce55fb03fdf9c915d4e6393a3a61af7b1861a8c0ce6308e16b348
multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:66e76d15b07a6fe56e2d4eb087c571487004e36956ba815e8b4b3fc996942147
multicluster-engine/console-mce-rhel8@sha256:66e76d15b07a6fe56e2d4eb087c571487004e36956ba815e8b4b3fc996942147
multicluster-engine/discovery-rhel8@sha256:c7c82f9bf08b6c3bc3c188764969b7d3a79b1fe4aa5b7e4af16f90ebe5ca91b2
multicluster-engine/hive-rhel8@sha256:d0ff897165e69d4ad3ccde259fbd73471536cb79666697d29069a811ba29459d
multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:65ba5917673db69518cf565e2a6878a74bc9e3d4a22e68a63d8698af597f5c80
multicluster-engine/hypershift-addon-rhel8-operator@sha256:65ba5917673db69518cf565e2a6878a74bc9e3d4a22e68a63d8698af597f5c80
multicluster-engine/hypershift-deployment-controller-rhel8@sha256:af1e669feebcfbab3eca937ed8f006d485e2d1df5674ee27c76fc40e18ebdf0e
multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:af1e669feebcfbab3eca937ed8f006d485e2d1df5674ee27c76fc40e18ebdf0e
multicluster-engine/hypershift-rhel8-operator@sha256:588ecfb58d8035365b726feb4dd831f1b0a8720a2a061cb1351aa4288e5b287b
multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:bbce9dceca5707e74c9ae630ded1aef7847b9e1084c8b53657bb2730981d496f
multicluster-engine/managed-serviceaccount-rhel8@sha256:bbce9dceca5707e74c9ae630ded1aef7847b9e1084c8b53657bb2730981d496f
multicluster-engine/managedcluster-import-controller-rhel8@sha256:f8974d091a0429bb2110c3a98afc17b7e27c842281420374c8b706dbce6e0daf
multicluster-engine/mce-operator-bundle@sha256:055c406010077fd498027724804b4f92c13c3e64a03644ca6075c6ac539151cc
multicluster-engine/multicloud-manager-rhel8@sha256:697f5a05986fde638b3d7c65aeedd189f0886fdee018a8ebd9537ca985ed04d8
multicluster-engine/must-gather-rhel8@sha256:4d5825cc6a5bfadbabc5ad8c860893f10da9bf4652931ec58224689154602ff2
multicluster-engine/placement-rhel8@sha256:946718d53c99034561f1adb2e9af4a8218515540d8b17bb83dfe9d18e917c329
multicluster-engine/provider-credential-controller-rhel8@sha256:2696b9b660e2708a7e791c12cd2831aaf20d8cdd9680e943bc8772c83224c548
multicluster-engine/registration-operator-rhel8@sha256:a248bbe30bfaa1e0dd2b7389e3eeba19ea882d02491ede189fd8ca16db9c3a44
multicluster-engine/registration-rhel8@sha256:25bc554d439ff0940925e1fa89b5f78cfb608a209c179f58c4ee875270433bc7
multicluster-engine/work-rhel8@sha256:580c1e29b3e8f65290d2a96948e6f93865a75c1ee620110e25d0346a22a68c8f
s390x
multicluster-engine/agent-service-rhel8@sha256:b75f4014ac24863dd2f8b8e1e0078a68c47226a7223006443a707b98b90009d3
multicluster-engine/apiserver-network-proxy-rhel8@sha256:00259f14858cd4d7169a7fa6093854c8ba99b207b1cd9325dad7a166ddc1b60d
multicluster-engine/assisted-image-service-rhel8@sha256:b8e462f1a92e550fe3ee2a502ca0c33a1d43633adb3b25e4895656e33bd09c7a
multicluster-engine/aws-encryption-provider-rhel8@sha256:aa5ccd487c65a3470f1a089e5873be1c4cac0ae94324c48b6d071e314401c7d1
multicluster-engine/backplane-rhel8-operator@sha256:2fc94ba72f5bcc8a5ed30c359859d1de39298002fac363c9ea6e5c693fea09b7
multicluster-engine/cluster-api-provider-agent-rhel8@sha256:93394a5148a8e51ccada81760131a39956ba87350cf7fbf0600608c1d5898a57
multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:93394a5148a8e51ccada81760131a39956ba87350cf7fbf0600608c1d5898a57
multicluster-engine/cluster-api-provider-aws-rhel8@sha256:a5ee856fa8d146ee21be00dda41e4be6d3ea27ae88a9eda49ccdc26b97e4ea37
multicluster-engine/cluster-api-provider-azure-rhel8@sha256:24ebe960af380725f3f9916520b5114fbec3aa49845de53f90543e4a89fb52fd
multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:f9741a0a81fbeeedf723f39695a5f1b6151fa9fe8aa00a176c599617636d7272
multicluster-engine/cluster-api-rhel8@sha256:4bcac22cfe737142fff36a04a9f5c5b420dadc774a7c53dd1096a692cca9ab74
multicluster-engine/cluster-curator-controller-rhel8@sha256:865ca6d19083d0ed1db86a159a305cdd64b15261b7cd7c4387419d3db8c51d96
multicluster-engine/cluster-proxy-addon-rhel8@sha256:aeb5e51d99b27c39552cad944d37b9598b7040f15b8dac3f7a3fcc822dfc4840
multicluster-engine/cluster-proxy-rhel8@sha256:6d3e381c643e32490b4d66b39eb23f2acbfae132bec4265182a0ddcdb0d9cfd6
multicluster-engine/clusterclaims-controller-rhel8@sha256:b20973adb70edb774f9853ac8b63fb154f762716c311a06a029a3807c9117caf
multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:c8975cb6d4d6490ac29d0b7a108332f75310abfb9ead929d27440e020550b4ff
multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:308c1e57ff087af046c33cd3b12d7acacad4097995bc0b7e1125038321ee4614
multicluster-engine/console-mce-rhel8@sha256:308c1e57ff087af046c33cd3b12d7acacad4097995bc0b7e1125038321ee4614
multicluster-engine/discovery-rhel8@sha256:53962002c320742fc6339daaec7c9e59287bb957d101f6d2983b6cde9da44022
multicluster-engine/hive-rhel8@sha256:254947f2b0180e81822db22f589033aab32a332d2dd1072063d286ff28c3ba25
multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:9620cff0611ee81540091190ca80237fc9b83a87b3ccafa82dc41313ee20f778
multicluster-engine/hypershift-addon-rhel8-operator@sha256:9620cff0611ee81540091190ca80237fc9b83a87b3ccafa82dc41313ee20f778
multicluster-engine/hypershift-deployment-controller-rhel8@sha256:d502b01d703497364707e74f7ff2960e40d94c6f0a1750efa7449eca5190cfd0
multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:d502b01d703497364707e74f7ff2960e40d94c6f0a1750efa7449eca5190cfd0
multicluster-engine/hypershift-rhel8-operator@sha256:17b06a8a46e96b0488982ea9b52e50f219e583454c0ce8c21120089eec0b3d34
multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:0835793784452ffb946c1f1865dc67ff91863a9f58370add5d27fafc2fa47fb1
multicluster-engine/managed-serviceaccount-rhel8@sha256:0835793784452ffb946c1f1865dc67ff91863a9f58370add5d27fafc2fa47fb1
multicluster-engine/managedcluster-import-controller-rhel8@sha256:7f570e6324a0ded0af3141224aa7503125a5d08ea8275410e2ab0c39bc78b56f
multicluster-engine/mce-operator-bundle@sha256:8eba080c647dc14caff456bb21dd3759df2dfdbd4b64bb4532a7921442a94aa5
multicluster-engine/multicloud-manager-rhel8@sha256:4d5c7a6c0d8f1315cef10e83f0059fa842ee05d1bb7c2d262ab7c6f94a731da9
multicluster-engine/must-gather-rhel8@sha256:36ac43aab0989ca8672f2bb3147116ae8ba982e42dfaa7a43d75818267d06559
multicluster-engine/placement-rhel8@sha256:a08529cd5a93957b1c77ca30a86252edff945f621f4649447a3fb82ca2b066e4
multicluster-engine/provider-credential-controller-rhel8@sha256:098cf691eb34a5cde1e4104210b40be8c223bc15375034a5b5b6ce7689857c77
multicluster-engine/registration-operator-rhel8@sha256:9fd016ea2076eb131b3c1cb4597e2d6a0bb250a30c24ddf365225ea5d5021d2f
multicluster-engine/registration-rhel8@sha256:3bc64facd3c603cff09ac93dd21a228be46ab7eae15129ed4102affc444e519c
multicluster-engine/work-rhel8@sha256:fe24c34749d1a15d328212e7ebfa7df1ba88985a22ea7e817a48ada7d56b6388
x86_64
multicluster-engine/agent-service-rhel8@sha256:2a992f97046e52ea32763271336851b71369dbc95d689336b5b5a52cb7c928bd
multicluster-engine/apiserver-network-proxy-rhel8@sha256:c5d5a800f31f3f9f33464a7cc521a39ac946bedd79f3a5bb3f5fcf751a9b29f5
multicluster-engine/assisted-image-service-rhel8@sha256:d353cebf46b8034aeba32c10e123ce4244270c71660a3fd0d525b40122795b66
multicluster-engine/assisted-installer-agent-rhel8@sha256:778ec121e67297d069451b120508b2342bc1167940e8788d428e48a882fc6263
multicluster-engine/assisted-installer-reporter-rhel8@sha256:37a4babca63cd60453bf4ccb165744e7539c6dfb25c1f2afa52cdab2e5d3b9e3
multicluster-engine/assisted-installer-rhel8@sha256:8da020b6b0b843ec660e8c671e5e8dc9dc3574c54b287dbacf291341ee33c938
multicluster-engine/aws-encryption-provider-rhel8@sha256:2abb443f0d341949d813f3e6459e7ccfa290a52756b466c7cdf90864c7e24872
multicluster-engine/backplane-rhel8-operator@sha256:5a4788044e0424ef01978de584612ead6d85d12e3e730a319dbe2b420809d224
multicluster-engine/cluster-api-provider-agent-rhel8@sha256:08097b3a1cfc85ae7d64954b317d5167f42a0642e3d07f9dbb0639935d51de33
multicluster-engine/multicluster-engine-cluster-api-provider-agent-rhel8@sha256:08097b3a1cfc85ae7d64954b317d5167f42a0642e3d07f9dbb0639935d51de33
multicluster-engine/cluster-api-provider-aws-rhel8@sha256:57534485ca6f0c456e17bf41acb2b219692348acc17f44717e01c77947f3e719
multicluster-engine/cluster-api-provider-azure-rhel8@sha256:d7928cef2050b103bf1677f668d0ec68e96f61b57d905cdf903dba9c128f87cc
multicluster-engine/cluster-api-provider-kubevirt-rhel8@sha256:326050fd51a0e23aea155a88b4ddecf34865ddabe5dda65a105607ffefe2324b
multicluster-engine/cluster-api-rhel8@sha256:e21249d9a8329f681da42ae60148bd6e7fe853968b827bf39f294afc6ca92dbc
multicluster-engine/cluster-curator-controller-rhel8@sha256:67ca6e928e6d1af04b033a4a624df0424d8db7f0bc0893a40bbc9ab270629b6c
multicluster-engine/cluster-proxy-addon-rhel8@sha256:2da49b15d328ae422f2941fcf0f91aa7f203de910d524b0d0ee84247169f5608
multicluster-engine/cluster-proxy-rhel8@sha256:37595d40522bf344b618a3bf83f6c9e5cec41910a4eae17861bbc4ac848d171b
multicluster-engine/clusterclaims-controller-rhel8@sha256:5db16c2474a6ca936113b3df5753d1dc315de604a5666669798e18f9eaf9cc97
multicluster-engine/clusterlifecycle-state-metrics-rhel8@sha256:eae2b60419b93c5e811420ec6df97754c6f58ab6509cf4faa76503188540709f
multicluster-engine/multicluster-engine-console-mce-rhel8@sha256:ee026b338bee24d332142df6399961abb97fa4065c7482780058b7a32b7cec67
multicluster-engine/console-mce-rhel8@sha256:ee026b338bee24d332142df6399961abb97fa4065c7482780058b7a32b7cec67
multicluster-engine/discovery-rhel8@sha256:c3c8e688b41497f31484d9900d3d4c554145044f736da5c70531d6f0ebb7060b
multicluster-engine/hive-rhel8@sha256:439bf8f6c81c9f3ea895fee4cf4fa4b19106cf01ffa53916839c1880c3623f91
multicluster-engine/multicluster-engine-hypershift-addon-rhel8-operator@sha256:d59b433b5db97acbd3fef84ffba2488e8825c26f9c309862be3a4617c4916f1d
multicluster-engine/hypershift-addon-rhel8-operator@sha256:d59b433b5db97acbd3fef84ffba2488e8825c26f9c309862be3a4617c4916f1d
multicluster-engine/hypershift-deployment-controller-rhel8@sha256:c185b5c73eca080e400ac6c9a1b877f7df6b747ba35c2ecbcf606c7262d3d9ed
multicluster-engine/multicluster-engine-hypershift-deployment-controller-rhel8@sha256:c185b5c73eca080e400ac6c9a1b877f7df6b747ba35c2ecbcf606c7262d3d9ed
multicluster-engine/hypershift-rhel8-operator@sha256:a097c5e36aa59f5817fd66064149c07e72916e77b7b16e6f340110179b843973
multicluster-engine/klusterlet-operator-bundle@sha256:b45a2773beb166566e44ed36e1039208bd28683251563d5989884fbb884bbf11
multicluster-engine/multicluster-engine-managed-serviceaccount-rhel8@sha256:a6930f76e5d33e59f959ddd5b869b9efc0bf0fe195abe0350a3012995de3e3da
multicluster-engine/managed-serviceaccount-rhel8@sha256:a6930f76e5d33e59f959ddd5b869b9efc0bf0fe195abe0350a3012995de3e3da
multicluster-engine/managedcluster-import-controller-rhel8@sha256:2e2bb37f25c89f1f3a0faf7c726d2c935dfc9d7d81fa526329ab183af70666ea
multicluster-engine/mce-operator-bundle@sha256:c1af78da9d78d0911886fee4fccd77a64127f3b1e64c32d9c3b405799f0de6d1
multicluster-engine/multicloud-manager-rhel8@sha256:12d55e58de8282f6130409a4b089b278c4ccd5e0bb5948f7f4f2444e7d285033
multicluster-engine/must-gather-rhel8@sha256:ed93418db47a78aab46c65bd0cd2878f2e4254be2fb0427aa566a51a2edd307d
multicluster-engine/placement-rhel8@sha256:dc174ebe59c11e1a874ab59c3d34afd8e51f95a48b52ef27e84c31df66aec0b8
multicluster-engine/provider-credential-controller-rhel8@sha256:30fedfc6551bc4c646057558f6fcd132da6aeaead1ab6203aca0acbefc5b60e8
multicluster-engine/registration-operator-rhel8@sha256:de0c8a1be947fceb8d38063ba92503a5cee0b347a160a35987ef753e9f955a97
multicluster-engine/registration-rhel8@sha256:526ce18fa628e4ae4208c35fe7c4814e8e41266314d0e1f6fab7e9fcdf95e11d
multicluster-engine/work-rhel8@sha256:40148e621784fbe4950c001bfef12a8108b3a0ffec03a2e01967c7c203676ea8
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 7070-1 - It was discovered that libarchive mishandled certain memory checks, which could result in a NULL pointer dereference. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that libarchive mishandled certain memory operations, which could result in an out-of-bounds memory access. An attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
Gentoo Linux Security Advisory 202309-14 - Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service. Versions greater than or equal to 3.7.1 are affected.
Secondary Scheduler Operator for Red Hat OpenShift 1.1.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24532: A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh. * CVE-2023-24534: A flaw was found in Golang Go...
Red Hat Security Advisory 2023-4575-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.
cert-manager Operator for Red Hat OpenShift 1.10.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specia...
Red Hat Security Advisory 2023-4488-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.
Gatekeeper Operator v0.2 security fixes and enhancements Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
Red Hat Security Advisory 2023-4238-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server c...
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Red Hat OpenShift Service Mesh 2.4.1 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
OpenShift API for Data Protection (OADP) 1.1.5 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in H...
Red Hat Security Advisory 2023-3813-01 - An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.
Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.
Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.4 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties.
Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.
Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
Red Hat Security Advisory 2023-3379-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. This release of RHACS includes a fix for CVE-2023-24540 by building RHACS with updated Golang.
Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted inpu...
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...
Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host o...
Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. ### Impact A threat actor can edit options for `console.log`. ### Patches This vulnerability was patched in the release of version `3.9.18` of `vm2`. ### Workarounds After creating a vm make the `inspect` method readonly with `vm.readonly(inspect)`. ### References PoC - https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550 ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
Red Hat Security Advisory 2023-2948-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include an insecure handling vulnerability.
An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERN...
An update for libarchive is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36227: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.
An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...
An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...
An update for bind9.16 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2795: A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. * CVE-2022-3094: A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large am...
A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. ### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.18` of `vm2`. ### Workarounds None. ### References PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.
A new image is available for Red Hat Single Sign-On 7.6.3, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-0341: In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction...
Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.
Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.
An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERN...
An update for libarchive is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36227: A flaw was found in libarchive. A missing check of the return value of the calloc function can cause a NULL pointer dereference in an out-of-memory condition or when a memory allocation limit is reached, resulting in the program linked with libarchive to crash.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41973: A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of th...
An update for dhcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...
An update for dhcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2928: An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to...
Red Hat Security Advisory 2023-2104-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...
Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.
Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.
Multicluster Engine for Kubernetes 2.0.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.7 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40186: A flaw was found in HashiCorp Vault and Vault Enterprise, where they could allow a locally authenticated attacker to gain unauthorized access to the system, caused by a flaw in the alias naming schema implementation for mount accessors with shared alias n...
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.
Red Hat Security Advisory 2023-1200-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.
An update for gnutls is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially...
Debian Linux Security Advisory 5366-1 - The Qualys Research Labs reported an authorization bypass (CVE-2022-41974) and a symlink attack (CVE-2022-41973) in multipath-tools, a set of tools to drive the Device Mapper multipathing driver, which may result in local privilege escalation.
Red Hat Security Advisory 2023-0402-01 - An update for bind is now available for Red Hat Enterprise Linux 7.
An update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-25220: bind: DNS forwarders - cache poisoning vulnerability * CVE-2022-2795: bind: processing large delegations may severely degrade resolver performance
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).
The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "
Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.
Ubuntu Security Notice 5658-3 - USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service.
In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.
Ubuntu Security Notice 5731-1 - It was discovered that multipath-tools incorrectly handled symlinks. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that multipath-tools incorrectly handled access controls. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges.
The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.
multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.
Ubuntu Security Notice 5658-1 - It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service.
Ubuntu Security Notice 5658-1 - It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service.
Ubuntu Security Notice 5626-2 - USN-5626-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service.
Ubuntu Security Notice 5626-1 - Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service. It was discovered that Bind incorrectly handled statistics requests. A remote attacker could possibly use this issue to obtain sensitive memory contents, or cause a denial of service. This issue only affected Ubuntu 22.04 LTS.
By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.