Red Hat Security Advisory 2024-3483-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3483.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Container Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:3483-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3483Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2023-29483====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* ee-supported: dnspython: denial of service in stub resolver (CVE-2023-29483)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Other fixes and updates:* Hub backup secret is not successfully included in operator backups (AAP-23602)* Fixes support for automation hub content signing (AAP-9739)Solution:CVEs:CVE-2023-29483References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2274520

Red Hat Security Advisory 2024-3483-03

Red Hat Security Advisory 2024-3479-03 - Updated container images are now available for director Operator for Red Hat OpenStack Platform 16.2 for RHEL 8.4. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3479.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenStack Platform 16.2 director Operator container images security update  
Advisory ID:        RHSA-2024:3479-03  
Product:            Red Hat OpenStack Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3479  
Issue date:         2024-05-30  
Revision:           03  
CVE Names:          CVE-2023-37788  
====================================================================

Summary: 

Updated container images are now available for director Operator for Red Hat OpenStack Platform 16.2 (Train) for RHEL 8.4.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenStack Platform provides the facilities for building, deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud running on commonly available physical hardware.

The Red Hat OpenStack Platform (RHOSP) director Operator adds the ability to install and run a RHOSP cloud within OpenShift Container Platform (OCP).

Security Fix(es):

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption  
via HTTP requests (CVE-2023-39326)

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

* golang: x/crypto/ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

* goproxy: Denial of service (DoS) via unspecified vectors (CVE-2023-37788)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

Solution:

CVEs:

CVE-2023-37788

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2224245  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-3479-03

Red Hat Security Advisory 2024-3475-03 - An update is now available for Red Hat OpenShift GitOps v1.11.5 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3475.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Errata Advisory for Red Hat OpenShift GitOps v1.11.5 security updateAdvisory ID:        RHSA-2024:3475-03Product:            Red Hat OpenShift GitOpsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3475Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2024-31989====================================================================Summary: An update is now available for Red Hat OpenShift GitOps v1.11.5 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Errata Advisory for Red Hat OpenShift GitOps v1.11.5Security Fix(es):* CVE-2024-31989 argocd: An update is now available for Red Hat OpenShift GitOps v1.11.5 to address the CVE-2024-31989, unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379.For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-31989References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2280218

Red Hat Security Advisory 2024-3475-03

Red Hat Security Advisory 2024-3473-03 - Red Hat OpenShift Virtualization release 4.14.6 is now available with updates to packages and images that fix several bugs and add enhancements.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3473.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: OpenShift Virtualization 4.14.6 Images security updateAdvisory ID:        RHSA-2024:3473-03Product:            OpenShift VirtualizationAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3473Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2023-45857====================================================================Summary: Red Hat OpenShift Virtualization release 4.14.6 is now available with updates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.Description:OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.This advisory contains OpenShift Virtualization 4.14.6 images.Security Fix(es):* axios: exposure of confidential data stored in cookies (CVE-2023-45857)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45857References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/cve/CVE-2023-45857https://bugzilla.redhat.com/show_bug.cgi?id=2248979https://issues.redhat.com/browse/CNV-36026https://issues.redhat.com/browse/CNV-39569

Red Hat Security Advisory 2024-3473-03

Red Hat Security Advisory 2024-3472-03 - An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3472.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: rh-nodejs14 security updateAdvisory ID:        RHSA-2024:3472-03Product:            Red Hat Software CollectionsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3472Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2024-27983====================================================================Summary: An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es):* rh-nodejs14-nodejs: CONTINUATION frames DoS (CVE-2024-27983)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27983References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2272764

Red Hat Security Advisory 2024-3472-03

Red Hat Security Advisory 2024-3467-03 - An update for etcd is now available for Red Hat OpenStack Platform 16.1 on Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3467.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenStack Platform 16.1 (etcd) security update  
Advisory ID:        RHSA-2024:3467-03  
Product:            Red Hat OpenStack Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3467  
Issue date:         2024-05-30  
Revision:           03  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

An update for etcd is now available for Red Hat OpenStack Platform 16.1  
(Train) on Red Hat Enterprise Linux (RHEL) 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

A highly-available key value store for shared configuration

Security Fix(es):

* Incomplete fix for CVE-2023-39325/CVE-2023-44487 in OpenStack Platform  
(CVE-2024-4438)

* Incomplete fix for CVE-2021-44716 in OpenStack Platform (CVE-2024-4437)

* Incomplete fix for CVE-2022-41723 in OpenStack Platform (CVE-2024-4436)

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

* golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

* golang: html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2237773  
https://bugzilla.redhat.com/show_bug.cgi?id=2237776  
https://bugzilla.redhat.com/show_bug.cgi?id=2237777  
https://bugzilla.redhat.com/show_bug.cgi?id=2237778  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2279357  
https://bugzilla.redhat.com/show_bug.cgi?id=2279361  
https://bugzilla.redhat.com/show_bug.cgi?id=2279365

Red Hat Security Advisory 2024-3467-03

Red Hat Security Advisory 2024-3466-03 - An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3466.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python39:3.9 and python39-devel:3.9 security updateAdvisory ID:        RHSA-2024:3466-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3466Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2023-6597====================================================================Summary: An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python39:3.9/python39: python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597)* python39:3.9/python39: python: The zipfile module is vulnerable to zip-bombs leading to denial of service (CVE-2024-0450)* python39:3.9/python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode() (CVE-2024-3651)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2274779https://bugzilla.redhat.com/show_bug.cgi?id=2276518https://bugzilla.redhat.com/show_bug.cgi?id=2276525

Red Hat Security Advisory 2024-3466-03

Red Hat Security Advisory 2024-3351-03 - Red Hat OpenShift Container Platform release 4.12.58 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3351.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.12.58 security update  
Advisory ID:        RHSA-2024:3351-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3351  
Issue date:         2024-05-30  
Revision:           03  
CVE Names:          CVE-2024-28180  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.58 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.58. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:3349

Security Fix(es):

* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2024-28180

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854

Red Hat Security Advisory 2024-3351-03

Red Hat Security Advisory 2024-3331-03 - Red Hat OpenShift Container Platform release 4.14.27 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3331.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.27 bug fix and security update  
Advisory ID:        RHSA-2024:3331-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3331  
Issue date:         2024-05-30  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.27 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.27. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:3335

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* python-gunicorn: HTTP Request Smuggling due to improper validation of  
Transfer-Encoding headers (CVE-2024-1135)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2275280  
https://issues.redhat.com/browse/OCPBUGS-27394  
https://issues.redhat.com/browse/OCPBUGS-28611  
https://issues.redhat.com/browse/OCPBUGS-33537  
https://issues.redhat.com/browse/OCPBUGS-33635  
https://issues.redhat.com/browse/OCPBUGS-33640  
https://issues.redhat.com/browse/OCPBUGS-33798

Red Hat Security Advisory 2024-3331-03

Red Hat Security Advisory 2024-3327-03 - Red Hat OpenShift Container Platform release 4.15.15 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3327.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.15 security update  
Advisory ID:        RHSA-2024:3327-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3327  
Issue date:         2024-05-30  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.15 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.15. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:3332

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* python-gunicorn: HTTP Request Smuggling due to improper validation of  
Transfer-Encoding headers (CVE-2024-1135)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2275280  
https://issues.redhat.com/browse/OCPBUGS-30020  
https://issues.redhat.com/browse/OCPBUGS-30650  
https://issues.redhat.com/browse/OCPBUGS-31609  
https://issues.redhat.com/browse/OCPBUGS-31863  
https://issues.redhat.com/browse/OCPBUGS-32220  
https://issues.redhat.com/browse/OCPBUGS-32744  
https://issues.redhat.com/browse/OCPBUGS-32972  
https://issues.redhat.com/browse/OCPBUGS-33117  
https://issues.redhat.com/browse/OCPBUGS-33118  
https://issues.redhat.com/browse/OCPBUGS-33166  
https://issues.redhat.com/browse/OCPBUGS-33205  
https://issues.redhat.com/browse/OCPBUGS-33210  
https://issues.redhat.com/browse/OCPBUGS-33454  
https://issues.redhat.com/browse/OCPBUGS-33506  
https://issues.redhat.com/browse/OCPBUGS-33575  
https://issues.redhat.com/browse/OCPBUGS-33604  
https://issues.redhat.com/browse/OCPBUGS-33622  
https://issues.redhat.com/browse/OCPBUGS-33641  
https://issues.redhat.com/browse/OCPBUGS-33672  
https://issues.redhat.com/browse/OCPBUGS-33697  
https://issues.redhat.com/browse/OCPBUGS-33960

Source

Packet Storm