Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7678.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat AMQ Streams 2.6.0 release and security update  
Advisory ID:        RHSA-2023:7678-03  
Product:            Red Hat JBoss AMQ  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7678  
Issue date:         2023-12-07  
Revision:           03  
CVE Names:          CVE-2022-46751  
====================================================================

Summary: 

Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.6.0 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):

* JSON-java: parser confusion leads to OOM (CVE-2023-5072)

* spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry (CVE-2023-20873)

* zookeeper: Authorization Bypass in Apache ZooKeeper (CVE-2023-44981)

* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)

* guava: insecure temporary directory creation (CVE-2023-2976)

* jose4j: Insecure iteration count setting (CVE-2023-31582)

* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)

* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)

* gradle: Possible local text file exfiltration by XML External entity injection (CVE-2023-42445)

* gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations (CVE-2023-44387)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2022-46751

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.6.0  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2215465  
https://bugzilla.redhat.com/show_bug.cgi?id=2231491  
https://bugzilla.redhat.com/show_bug.cgi?id=2233112  
https://bugzilla.redhat.com/show_bug.cgi?id=2235370  
https://bugzilla.redhat.com/show_bug.cgi?id=2239634  
https://bugzilla.redhat.com/show_bug.cgi?id=2242485  
https://bugzilla.redhat.com/show_bug.cgi?id=2242538  
https://bugzilla.redhat.com/show_bug.cgi?id=2243436  
https://bugzilla.redhat.com/show_bug.cgi?id=2246370  
https://bugzilla.redhat.com/show_bug.cgi?id=2246417

Red Hat Security Advisory 2023-7678-03

Red Hat Security Advisory 2023-7676-03 - An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a man-in-the-middle vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7676.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Data Grid 8.4.6 security updateAdvisory ID:        RHSA-2023:7676-03Product:            Red Hat JBoss Data GridAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7676Issue date:         2023-12-06Revision:           03CVE Names:          CVE-2023-4586====================================================================Summary: An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.6 replaces Data Grid 8.4.5 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.6 in the Release Notes[3].Security Fix(es):* infinispan: Credentials returned from configuration as clear text [jdg-8] (CVE-2023-5384)* hotrod-client: Hot Rod client does not enable hostname validation when using TLS that lead to a MITM attack [jdg-8] (CVE-2023-4586)* jose4j: Insecure iteration count setting [jdg-8] (CVE-2023-31582)A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4586References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2235564https://bugzilla.redhat.com/show_bug.cgi?id=2242156https://bugzilla.redhat.com/show_bug.cgi?id=2246370

Red Hat Security Advisory 2023-7676-03

Red Hat Security Advisory 2023-7672-03 - Red Hat OpenShift Virtualization release 4.14.1 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7672.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Virtualization 4.14.1 RPMs security and bug fix update  
Advisory ID:        RHSA-2023:7672-03  
Product:            OpenShift Virtualization  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7672  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2022-41724  
====================================================================

Summary: 

Red Hat OpenShift Virtualization release 4.14.1 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.14.1 RPMs.

Security Fix(es):

* golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

* golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* 4.14.1 rpms (BZ#2251685)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-41724

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2178488  
https://bugzilla.redhat.com/show_bug.cgi?id=2178492  
https://bugzilla.redhat.com/show_bug.cgi?id=2251685

Red Hat Security Advisory 2023-7672-03

Red Hat Security Advisory 2023-7670-03 - Migration Toolkit for Runtimes 1.2.3 release.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7670.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Migration Toolkit for Runtimes bug fix, enhancement and security updateAdvisory ID:        RHSA-2023:7670-03Product:            Migration Toolkit for RuntimesAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7670Issue date:         2023-12-06Revision:           03CVE Names:          CVE-2023-1436====================================================================Summary: Migration Toolkit for Runtimes 1.2.3 releaseRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Migration Toolkit for Runtimes 1.2.3 ImagesSecurity Fix(es):* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-1436References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2182788

Red Hat Security Advisory 2023-7670-03

Red Hat Security Advisory 2023-7669-03 - New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images are now available.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7669.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat build of Cryostat 2.4.0: new RHEL 8 container images  
Advisory ID:        RHSA-2023:7669-03  
Product:            Cryostat  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7669  
Issue date:         2023-12-07  
Revision:           03  
CVE Names:          CVE-2023-24815  
====================================================================

Summary: 

New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images are now available

Description:

New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes.

Users of the Red Hat build of Cryostat 2.3.1 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.

Security Fix(es):

* vertx-web: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route (CVE-2023-24815)

* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)

* netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462)

You can find images updated by this advisory in Red Hat Container Catalog (see References).

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-24815

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2209400  
https://bugzilla.redhat.com/show_bug.cgi?id=2215465  
https://bugzilla.redhat.com/show_bug.cgi?id=2216888  
https://issues.redhat.com/browse/JAVAMON-236  
https://issues.redhat.com/browse/JAVAMON-241  
https://issues.redhat.com/browse/JAVAMON-243  
https://issues.redhat.com/browse/JAVAMON-313  
https://issues.redhat.com/browse/JAVAMON-319

Red Hat Security Advisory 2023-7669-03

Red Hat Security Advisory 2023-7668-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7668.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid:4 security updateAdvisory ID:        RHSA-2023:7668-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7668Issue date:         2023-12-06Revision:           03CVE Names:          CVE-2023-5824====================================================================Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: DoS against HTTP and HTTPS (CVE-2023-5824)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5824References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/updates/classification#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2245914

Red Hat Security Advisory 2023-7668-03

Red Hat Security Advisory 2023-7667-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7667.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:12 security update  
Advisory ID:        RHSA-2023:7667-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7667  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2022-2625  
====================================================================

Summary: 

An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: schema_element defeats protective search_path changes (CVE-2023-2454)

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: Extension scripts replace objects not belonging to the extension. (CVE-2022-2625)

* postgresql: row security policies disregard user ID changes after inlining. (CVE-2023-2455)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Client memory disclosure when connecting with Kerberos to modified server (CVE-2022-41862)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-2625

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2113825  
https://bugzilla.redhat.com/show_bug.cgi?id=2165722  
https://bugzilla.redhat.com/show_bug.cgi?id=2207568  
https://bugzilla.redhat.com/show_bug.cgi?id=2207569  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7667-03

Red Hat Security Advisory 2023-7666-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7666.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:12 security update  
Advisory ID:        RHSA-2023:7666-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7666  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2022-41862  
====================================================================

Summary: 

An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: schema_element defeats protective search_path changes (CVE-2023-2454)

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: row security policies disregard user ID changes after inlining. (CVE-2023-2455)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Client memory disclosure when connecting with Kerberos to modified server (CVE-2022-41862)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-41862

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2165722  
https://bugzilla.redhat.com/show_bug.cgi?id=2207568  
https://bugzilla.redhat.com/show_bug.cgi?id=2207569  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7666-03

Red Hat Security Advisory 2023-7665-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7665.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: linux-firmware security updateAdvisory ID:        RHSA-2023:7665-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7665Issue date:         2023-12-06Revision:           03CVE Names:          CVE-2023-20593====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw: amd: Cross-Process Information Leak (CVE-2023-20593)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-20593References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2217845

Red Hat Security Advisory 2023-7665-03

Red Hat Security Advisory 2023-7610-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7610.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.45 packages and security update  
Advisory ID:        RHSA-2023:7610-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7610  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-44487  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.45. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7608

Security Fix(es):

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* python-werkzeug: high resource consumption leading to denial of service (CVE-2023-46136)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-44487

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2246310

Source

Packet Storm