Headline
RHSA-2023:1141: Red Hat Security Advisory: gnutls security and bug fix update
An update for gnutls is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-03-07
Updated:
2023-03-07
RHSA-2023:1141 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: gnutls security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for gnutls is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.
Security Fix(es):
- gnutls: timing side-channel in the TLS RSA key exchange code (CVE-2023-0361)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- CCM tag length should be limited to known values (BZ#2144535)
- In FIPS mode, gnutls should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator (BZ#2144537)
- dracut-cmdline[554]: Error in GnuTLS initialization: Error while performing self checks i FIPS mode (BZ#2149640)
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2144537 - In FIPS mode, gnutls should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator [rhel-9.1.0.z]
- BZ - 2149640 - dracut-cmdline[554]: Error in GnuTLS initialization: Error while performing self checks i FIPS mode [rhel-9.1.0.z]
- BZ - 2162596 - CVE-2023-0361 gnutls: timing side-channel in the TLS RSA key exchange code
Red Hat Enterprise Linux for x86_64 9
SRPM
gnutls-3.7.6-18.el9_1.src.rpm
SHA-256: afce0383a39b5ed2651e534b7851c2b70fc5f5dd2c244b972ad2b8ff5be70bdd
x86_64
gnutls-3.7.6-18.el9_1.i686.rpm
SHA-256: 17e632a6cdf8b364850b58c26432a253306d37e3682f1fdcd8a8cee59c72f4bc
gnutls-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 45f1784bcbc7e98e522bceff508414b473f31adab71ea4dc390db04bb25b820d
gnutls-c+±3.7.6-18.el9_1.i686.rpm
SHA-256: b1e3dbd1277f1e0d3ff0675163653d2225abc33d0db40e8e5259d1fa2844b6f5
gnutls-c+±3.7.6-18.el9_1.x86_64.rpm
SHA-256: e08f3587128e4ba2a553f6c9eb0438268db2ed10ac83278535d7acbd334a6c1e
gnutls-c+±debuginfo-3.7.6-18.el9_1.i686.rpm
SHA-256: ce5037143cf56465815663121420df0503d6c7be9e1b88bcca282fd50a7f9bf9
gnutls-c+±debuginfo-3.7.6-18.el9_1.i686.rpm
SHA-256: ce5037143cf56465815663121420df0503d6c7be9e1b88bcca282fd50a7f9bf9
gnutls-c+±debuginfo-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 3bcd4236eb9b3dd60025dff9ccc779872b8a33cc691d4843d7b2f61a03c045f3
gnutls-c+±debuginfo-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 3bcd4236eb9b3dd60025dff9ccc779872b8a33cc691d4843d7b2f61a03c045f3
gnutls-dane-3.7.6-18.el9_1.i686.rpm
SHA-256: 7627167896991c089bd5379481c77366ea16a7e08ba91cd90faaf6fa4a7cd1ee
gnutls-dane-3.7.6-18.el9_1.x86_64.rpm
SHA-256: e6ec59f25ed86fbbfe36f6abfefeb84ef13e5af3e0e25446bc62a880fb5c4561
gnutls-dane-debuginfo-3.7.6-18.el9_1.i686.rpm
SHA-256: efe4cc330a0d8bfab2ff4d8fbb71cebd0d87a3d2dcbb499628bf8e51a7c0619f
gnutls-dane-debuginfo-3.7.6-18.el9_1.i686.rpm
SHA-256: efe4cc330a0d8bfab2ff4d8fbb71cebd0d87a3d2dcbb499628bf8e51a7c0619f
gnutls-dane-debuginfo-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 30793263127141c42c230d9ecf30478aa6f01eeefa30cd64c64860f3679a5909
gnutls-dane-debuginfo-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 30793263127141c42c230d9ecf30478aa6f01eeefa30cd64c64860f3679a5909
gnutls-debuginfo-3.7.6-18.el9_1.i686.rpm
SHA-256: f5acd640f1195cf95e04ba9779d7ff3b1352d42f6c307857970b2037ed8fb578
gnutls-debuginfo-3.7.6-18.el9_1.i686.rpm
SHA-256: f5acd640f1195cf95e04ba9779d7ff3b1352d42f6c307857970b2037ed8fb578
gnutls-debuginfo-3.7.6-18.el9_1.x86_64.rpm
SHA-256: b495006572b375106ecc5a368c9c8bcd4a1fe2d82596f31e4455542450fa0f0a
gnutls-debuginfo-3.7.6-18.el9_1.x86_64.rpm
SHA-256: b495006572b375106ecc5a368c9c8bcd4a1fe2d82596f31e4455542450fa0f0a
gnutls-debugsource-3.7.6-18.el9_1.i686.rpm
SHA-256: a5ecb6b69c6277b0e393f9fbde6dcb017a112f55e8103949fa4d99e77abe585c
gnutls-debugsource-3.7.6-18.el9_1.i686.rpm
SHA-256: a5ecb6b69c6277b0e393f9fbde6dcb017a112f55e8103949fa4d99e77abe585c
gnutls-debugsource-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 381e2082f55ccf21381f410585c34ec30e60fd1d1cdbc6065a74fd32cbd9e32c
gnutls-debugsource-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 381e2082f55ccf21381f410585c34ec30e60fd1d1cdbc6065a74fd32cbd9e32c
gnutls-devel-3.7.6-18.el9_1.i686.rpm
SHA-256: 032543b312ab5fdcd484ece290bc97c71c535876f7a4c731e4b4e8b8ae88b37c
gnutls-devel-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 2dafc84d42967eab826d16509e727f96c4b83a0b2548c0a7b975fc7de2e5ee51
gnutls-utils-3.7.6-18.el9_1.x86_64.rpm
SHA-256: 565929ba23876aa595e7af0a5b603a41222939ad9d46e83f9b553db5eae58fdb
gnutls-utils-debuginfo-3.7.6-18.el9_1.i686.rpm
SHA-256: 70a0b28e837bad4383f1de131ca6084ea051f53ed0f91b3b8f18ac9753b8d397
gnutls-utils-debuginfo-3.7.6-18.el9_1.i686.rpm
SHA-256: 70a0b28e837bad4383f1de131ca6084ea051f53ed0f91b3b8f18ac9753b8d397
gnutls-utils-debuginfo-3.7.6-18.el9_1.x86_64.rpm
SHA-256: f427bbd22293e836ed7603498c3c76fb5cbdf28428a5ff2e5f07d589e3aeecd1
gnutls-utils-debuginfo-3.7.6-18.el9_1.x86_64.rpm
SHA-256: f427bbd22293e836ed7603498c3c76fb5cbdf28428a5ff2e5f07d589e3aeecd1
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
gnutls-3.7.6-18.el9_1.src.rpm
SHA-256: afce0383a39b5ed2651e534b7851c2b70fc5f5dd2c244b972ad2b8ff5be70bdd
s390x
gnutls-3.7.6-18.el9_1.s390x.rpm
SHA-256: 6f6680a493f2480d53c27b2ba30e6c9ef8b9c0c92664fa575f06486e4563883c
gnutls-c+±3.7.6-18.el9_1.s390x.rpm
SHA-256: 2d168342c90da3070875556959a9d5914ae14dccac0b6797d873d02764c6a533
gnutls-c+±debuginfo-3.7.6-18.el9_1.s390x.rpm
SHA-256: 41507326c9a617b4a39b3895a8115d21ce1074793d1e4b97153cf2302b61d0b2
gnutls-c+±debuginfo-3.7.6-18.el9_1.s390x.rpm
SHA-256: 41507326c9a617b4a39b3895a8115d21ce1074793d1e4b97153cf2302b61d0b2
gnutls-dane-3.7.6-18.el9_1.s390x.rpm
SHA-256: 0d9f9fdfb05d8cf774b40e271edec1e347bbb75fc2f68218ff06d5a6725971b4
gnutls-dane-debuginfo-3.7.6-18.el9_1.s390x.rpm
SHA-256: 45fd86f7bdcb2fc4ed9eb384cab7aeb3915842f40e37737a612ade69c06665b3
gnutls-dane-debuginfo-3.7.6-18.el9_1.s390x.rpm
SHA-256: 45fd86f7bdcb2fc4ed9eb384cab7aeb3915842f40e37737a612ade69c06665b3
gnutls-debuginfo-3.7.6-18.el9_1.s390x.rpm
SHA-256: 16365522de5a79146412f647a0e7642678d1f997dd244614f2d2fce260dfadb1
gnutls-debuginfo-3.7.6-18.el9_1.s390x.rpm
SHA-256: 16365522de5a79146412f647a0e7642678d1f997dd244614f2d2fce260dfadb1
gnutls-debugsource-3.7.6-18.el9_1.s390x.rpm
SHA-256: 628cdba636a4b2d300555cf43bcd380ac07cd80d127136db183892fce246bbf5
gnutls-debugsource-3.7.6-18.el9_1.s390x.rpm
SHA-256: 628cdba636a4b2d300555cf43bcd380ac07cd80d127136db183892fce246bbf5
gnutls-devel-3.7.6-18.el9_1.s390x.rpm
SHA-256: baa6722261962ca84ff7912f9d70788275d1897e020e90655b8e605f7dc0f6d9
gnutls-utils-3.7.6-18.el9_1.s390x.rpm
SHA-256: ce8496eaaabc251e50c9f0c31d86239b14fc87c1d6919f405ba209cfea7da8e5
gnutls-utils-debuginfo-3.7.6-18.el9_1.s390x.rpm
SHA-256: b11901f7c5425fefe15203752935b3f274c2d7fce55a39e0d24613803968b747
gnutls-utils-debuginfo-3.7.6-18.el9_1.s390x.rpm
SHA-256: b11901f7c5425fefe15203752935b3f274c2d7fce55a39e0d24613803968b747
Red Hat Enterprise Linux for Power, little endian 9
SRPM
gnutls-3.7.6-18.el9_1.src.rpm
SHA-256: afce0383a39b5ed2651e534b7851c2b70fc5f5dd2c244b972ad2b8ff5be70bdd
ppc64le
gnutls-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 98e6d7c42b6d4935aff5adb799ce12bd06bd646f685bec69fb73790c33746a0d
gnutls-c+±3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 25408920d07e19064f3dc9271795d85e18b915dbaab1c2c51cabef6548548651
gnutls-c+±debuginfo-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 570519de5071193305b355689f62a3d7476690b287996bb2a9e4f3cd92341732
gnutls-c+±debuginfo-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 570519de5071193305b355689f62a3d7476690b287996bb2a9e4f3cd92341732
gnutls-dane-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 19590cf87c6f18fc74b1412c88e6225310414f3e12d5d3cf44ee8cf6f3518005
gnutls-dane-debuginfo-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 2eed5b2f645b6cc0e4809582c29a8cfe27e0d574640b9726359c7b959e67f0ce
gnutls-dane-debuginfo-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 2eed5b2f645b6cc0e4809582c29a8cfe27e0d574640b9726359c7b959e67f0ce
gnutls-debuginfo-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 11f004d982a12266b27e52defb1133b1015ac69f3fe960b7625dd8e411015e27
gnutls-debuginfo-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 11f004d982a12266b27e52defb1133b1015ac69f3fe960b7625dd8e411015e27
gnutls-debugsource-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 6e095fb23af67c9a1010d8f65170b1d97aa6f9c9115ea6a64450abbd42e4a4b5
gnutls-debugsource-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 6e095fb23af67c9a1010d8f65170b1d97aa6f9c9115ea6a64450abbd42e4a4b5
gnutls-devel-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 2f4078e1c388293e1718be6d27edfc14ec98f73eae9e6f3d44f3822770ffb0ea
gnutls-utils-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 5942f0e98e1084a137aa087171ac5a3970b67efa4fa486575df813fea39da0ed
gnutls-utils-debuginfo-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 9277fd2f97c776c95a64e0e98379270c2e92d95e94c9dd676df9bbaecbadd3f1
gnutls-utils-debuginfo-3.7.6-18.el9_1.ppc64le.rpm
SHA-256: 9277fd2f97c776c95a64e0e98379270c2e92d95e94c9dd676df9bbaecbadd3f1
Red Hat Enterprise Linux for ARM 64 9
SRPM
gnutls-3.7.6-18.el9_1.src.rpm
SHA-256: afce0383a39b5ed2651e534b7851c2b70fc5f5dd2c244b972ad2b8ff5be70bdd
aarch64
gnutls-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 0c9fe253555aff46b05cc3e832148380bd9c62c6e90d4e73804fa78c420c2e1e
gnutls-c+±3.7.6-18.el9_1.aarch64.rpm
SHA-256: 46d552ef0e27388ff9fddb2e6d128d3d1825b73f0ae6b20ed6f7dc96eb725c91
gnutls-c+±debuginfo-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 113796cfaedef1f1b96949c9a690ee5d67ee302460d916f0fe027a138195d0f3
gnutls-c+±debuginfo-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 113796cfaedef1f1b96949c9a690ee5d67ee302460d916f0fe027a138195d0f3
gnutls-dane-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 5b034d252d24ecd007390fc1b43d97613579682f72b36e8aa377ff271fbc2697
gnutls-dane-debuginfo-3.7.6-18.el9_1.aarch64.rpm
SHA-256: a00ccc9c3df364a91989c154b48c379af07b5123a9fe23f5a5b1aecaa31a8587
gnutls-dane-debuginfo-3.7.6-18.el9_1.aarch64.rpm
SHA-256: a00ccc9c3df364a91989c154b48c379af07b5123a9fe23f5a5b1aecaa31a8587
gnutls-debuginfo-3.7.6-18.el9_1.aarch64.rpm
SHA-256: f3e19457f458f4965aff9985d2a34569ac93364947f4acd31f5f0fb3469d61e7
gnutls-debuginfo-3.7.6-18.el9_1.aarch64.rpm
SHA-256: f3e19457f458f4965aff9985d2a34569ac93364947f4acd31f5f0fb3469d61e7
gnutls-debugsource-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 9bc9695fe41d65e4f1e491962958e1dd92fdff759ee60dd69f6126ea5dd913ca
gnutls-debugsource-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 9bc9695fe41d65e4f1e491962958e1dd92fdff759ee60dd69f6126ea5dd913ca
gnutls-devel-3.7.6-18.el9_1.aarch64.rpm
SHA-256: f992abdbe814b62474c9555349afbc2deca99677fb512393ca48920bd3bb0fad
gnutls-utils-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 7d5ddc19f1bea3ebe81dbf977e473f58b3b9c85b7a79ba7c72f33824fdb5d643
gnutls-utils-debuginfo-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 1a0d480287517247731dbbc2cfbfc6ca3c93d652cfe4281aa63dd5d48079a49d
gnutls-utils-debuginfo-3.7.6-18.el9_1.aarch64.rpm
SHA-256: 1a0d480287517247731dbbc2cfbfc6ca3c93d652cfe4281aa63dd5d48079a49d
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Red Hat Security Advisory 2023-4694-01 - Red Hat OpenStack Platform (RHOSP) 16.2.z (Train) director Operator containers are now available. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-4488-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.
Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server c...
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Red Hat OpenShift Service Mesh 2.4.1 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
Red Hat Security Advisory 2023-3615-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.22. Issues addressed include a denial of service vulnerability.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.
Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20329: A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents. * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtai...
Red Hat OpenShift Container Platform release 4.11.43 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: A flaw was found in golang. The language package for go language can panic due to an out-of-bounds read when an incorrectly formatted language tag is being parsed. This flaw allows a...
Red Hat Security Advisory 2023-3361-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.
An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...
Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
Red Hat Security Advisory 2023-2728-01 - The Red Hat OpenShift Distributed Tracing 2.8 container images have been updated. CVE-2022-41717 was fixed as part of this release. Users of Red Hat OpenShift Distributed Tracing 2.8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs, and add these enhancements.
Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-2098-01 - Multicluster Engine for Kubernetes 2.0.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Red Hat Security Advisory 2023-2083-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Issues addressed include denial of service and server-side request forgery vulnerabilities.
Multicluster Engine for Kubernetes 2.1.6 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...
Red Hat Security Advisory 2023-1953-01 - Red Hat OpenShift Logging Subsystem 5.6.5 update. Issues addressed include cross site scripting and denial of service vulnerabilities.
Red Hat Security Advisory 2023-1887-01 - Multicluster Engine for Kubernetes 2.2.3 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.7 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40186: A flaw was found in HashiCorp Vault and Vault Enterprise, where they could allow a locally authenticated attacker to gain unauthorized access to the system, caused by a flaw in the alias naming schema implementation for mount accessors with shared alias n...
Logging Subsystem 5.6.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpected amount of time, possibly resulting in a denial of service. * CVE-2023-28120: A Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is called on a SafeBuffer with untrus...
Red Hat Security Advisory 2023-1888-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.3 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service and server-side request forgery vulnerabilities.
Red Hat Advanced Cluster Management for Kubernetes 2.7.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...
Multicluster Engine for Kubernetes 2.2.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server. * CVE-2023-29017: A flaw was found in vm2 where the component...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
An update for gnutls is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the v...
Red Hat Security Advisory 2023-1200-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.
An update for gnutls is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially...
Red Hat Security Advisory 2023-1141-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.
Ubuntu Security Notice 5901-1 - Hubert Kario discovered that GnuTLS had a timing side-channel when handling certain RSA messages. A remote attacker could possibly use this issue to recover sensitive information.
Debian Linux Security Advisory 5349-1 - Hubert Kario discovered a timing side channel in the RSA decryption implementation of the GNU TLS library.
A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.