Headline
RHSA-2023:3229: Red Hat Security Advisory: openshift-gitops-kam security update
An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-1996: A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users.
Issued:
2023-05-18
Updated:
2023-05-18
RHSA-2023:3229 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: openshift-gitops-kam security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Security Fix(es):
- go-restful: Authorization Bypass Through User-Controlled Key (CVE-2022-1996)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat OpenShift GitOps 1.8 x86_64
- Red Hat OpenShift GitOps for IBM Power, little endian 1.8 ppc64le
- Red Hat OpenShift GitOps for IBM Z and LinuxONE 1.8 s390x
- Red Hat OpenShift GitOps for ARM 64 1.8 aarch64
Fixes
- BZ - 2094982 - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key
References
- https://access.redhat.com/security/updates/classification/#important
- https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html
Red Hat OpenShift GitOps 1.8
SRPM
x86_64
openshift-gitops-kam-1.8.3-6.el8.x86_64.rpm
SHA-256: 369efff4937416c1ae61eec6de2698e4f76885d3c2579973a51291132867a238
openshift-gitops-kam-redistributable-1.8.3-6.el8.x86_64.rpm
SHA-256: 9e8d27fbf6e95933d6db150876a4723180e724852c9bf0118234780e8f20be32
Red Hat OpenShift GitOps for IBM Power, little endian 1.8
SRPM
ppc64le
openshift-gitops-kam-1.8.3-6.el8.ppc64le.rpm
SHA-256: 3d1036247bedfe13dd97759fc9e4d163bcefa4fdf26d1fbce3f8b011871c653f
Red Hat OpenShift GitOps for IBM Z and LinuxONE 1.8
SRPM
s390x
openshift-gitops-kam-1.8.3-6.el8.s390x.rpm
SHA-256: 7f3879c85894fe9977a70e5e771293d4f1dbe5b480f5b40be57a48df4adc99f9
Red Hat OpenShift GitOps for ARM 64 1.8
SRPM
openshift-gitops-kam-1.8.3-6.el8.src.rpm
SHA-256: a8e3cf29f9519b2321b8933a074b51edb96ceea509181e4f731beaa60db8c161
aarch64
openshift-gitops-kam-1.8.3-6.el8.aarch64.rpm
SHA-256: 434d2f5e2c7b0f947815ee3255c6610b5e5d6f23dd5abd183bc315ec32638c99
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1996: A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users.
Red Hat Security Advisory 2023-0814-01 - The Cryostat 2 on RHEL 8 container images have been updated to fix "CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key" and to address the following security advisory: RHSA-2023:0625 Users of Cryostat 2 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. Issues addressed include bypass, code execution, and integer overflow vulnerabilities.
Updated Cryostat 2 on RHEL 8 container images are now availableThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1996: A flaw was found in CORS Filter feature from the go-restful package. When a user inputs a domain which is in AllowedDomains, all domains starting with the same pattern are accepted. This issue could allow an attacker to break the CORS policy by allowing any page to make requests and retrieve data on behalf of users.
Red Hat OpenShift Virtualization release 4.9.7 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key
Red Hat Security Advisory 2022-6351-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.10.5 images: RHEL-8-CNV-4.10. Issues addressed include a bypass vulnerability.
Red Hat OpenShift Virtualization release 4.10.5 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1798: kubeVirt: Arbitrary file read on the host from KubeVirt VMs * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key
Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2022-6042-01 - Red Hat OpenShift Serverless Client kn 1.24.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.24.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. Issues addressed include bypass and denial of service vulnerabilities.
Release of OpenShift Serverless 1.24.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * C...
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.