Red Hat Security Advisory 2024-1555-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1555.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:1555-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1555Issue date:         2024-03-28Revision:           03CVE Names:          CVE-2024-21404====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21404References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-1555-03

Red Hat Security Advisory 2024-1554-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1554.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:1554-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1554Issue date:         2024-03-28Revision:           03CVE Names:          CVE-2024-21404====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21404References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-1554-03

Red Hat Security Advisory 2024-1553-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1553.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:1553-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1553Issue date:         2024-03-28Revision:           03CVE Names:          CVE-2024-21404====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21404References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-1553-03

Red Hat Security Advisory 2024-1552-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1552.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security updateAdvisory ID:        RHSA-2024:1552-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1552Issue date:         2024-03-28Revision:           03CVE Names:          CVE-2024-21404====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21404References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-1552-03

Ubuntu Security Notice 6686-5 - It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service. It was discovered that a race condition existed in the Cypress touchscreen driver in the Linux kernel during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6686-5  
March 27, 2024

linux-intel-iotg, linux-intel-iotg-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the  
Linux kernel did not properly handle certain error conditions during device  
registration. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2023-22995)

It was discovered that a race condition existed in the Cypress touchscreen  
driver in the Linux kernel during device removal, leading to a use-after-  
free vulnerability. A physically proximate attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-4134)

黄思聪 discovered that the NFC Controller Interface (NCI) implementation in  
the Linux kernel did not properly handle certain memory allocation failure  
conditions, leading to a null pointer dereference vulnerability. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2023-46343)

It was discovered that the io_uring subsystem in the Linux kernel contained  
a race condition, leading to a null pointer dereference vulnerability. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-46862)

It was discovered that a race condition existed in the Bluetooth subsystem  
of the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-51779)

It was discovered that a race condition existed in the Rose X.25 protocol  
implementation in the Linux kernel, leading to a use-after- free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-51782)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel  
did not properly handle connect command payloads in certain situations,  
leading to an out-of-bounds read vulnerability. A remote attacker could use  
this to expose sensitive information (kernel memory). (CVE-2023-6121)

It was discovered that the VirtIO subsystem in the Linux kernel did not  
properly initialize memory in some situations. A local attacker could use  
this to possibly expose sensitive information (kernel memory).  
(CVE-2024-0340)

Dan Carpenter discovered that the netfilter subsystem in the Linux kernel  
did not store data in properly sized memory locations. A local user could  
use this to cause a denial of service (system crash). (CVE-2024-0607)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1050-intel-iotg  5.15.0-1050.56  
   linux-image-intel-iotg          5.15.0.1050.50

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1050-intel-iotg  5.15.0-1050.56~20.04.1  
   linux-image-intel               5.15.0.1050.56~20.04.40  
   linux-image-intel-iotg          5.15.0.1050.56~20.04.40

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6686-5  
   https://ubuntu.com/security/notices/USN-6686-1  
   CVE-2023-22995, CVE-2023-4134, CVE-2023-46343, CVE-2023-46862,  
   CVE-2023-51779, CVE-2023-51782, CVE-2023-6121, CVE-2024-0340,  
   CVE-2024-0607

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1050.56

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1050.56~20.04.1

Ubuntu Security Notice USN-6686-5

Multiple university departments linked to the Clinical School Computing Service have been inaccessible for a month. The university has not revealed the nature of the “malicious activity.”

The University of Cambridge is constantly ranked among the world’s top universities, with its medical school and vast research facilities among the very best. But for the past month, staff at the prestigious medical school have had work hampered following “malicious activity” on its computer network.

An emailed “staff notice” seen by WIRED, believed to have been sent at the end of February, alerted staff to the disruption and said the university was working to get systems back online as soon as possible. However, weeks later, the incident is still ongoing, and little information has been made public about the nature of the incident.

“IT services provided by the Clinical School Computing Service (CSCS) have been disrupted by malicious activity,” the email reviewed by WIRED says. “We appreciate that some staff and students are experiencing significant disruption to their work and studies, and we are grateful for their patience and understanding.”

The University has confirmed to WIRED that its systems have been impacted, that some services have been voluntarily taken offline, and that while it has “contained” the incident, the disruption is ongoing and its investigations will likely take some time to complete. No data has been taken, it says. The UK’s national cybersecurity body and the country’s data regulator are also looking into the events.

The email message sent to staff last month said a “Critical Incident Management Team” has been set up to handle the response. At the time the message was sent, the email said, there was no access to the local IT network and Wi-Fi, and wired internet access had been turned off in impacted buildings, with the Wi-Fi set to be turned on again that same day.

The CSCS provides IT support to staff and researchers in the university’s School of Clinical Medicine. An archived version of its website says there are more than 5,800 devices on its network, and the team provides computers and servers to staff. The email seen by WIRED says that the CSCS also serves the Department of Zoology, Sainsbury Laboratory, which researches plant life; the Stem Cell Institute; and Milner Institute of the School of Biological Sciences, which researches emerging therapies. All have been impacted.

A University of Cambridge spokesperson confirmed the incident to WIRED, saying that “malicious activity” was found on the Clinical School Computing Service last month. “We took immediate action to contain the incident including voluntarily taking some systems offline,” the spokesperson said in a statement. “As a result, there is ongoing interruption to some services.”

It is not clear what the “malicious activity” entails or whether the activity is an attack by criminal hackers or an incident of a different nature. Multiple staff members at university departments did not respond to questions sent by WIRED about whether their work or research had been disrupted, or they directed questions to the press office as they are not authorized to speak about the incident.

The university spokesperson did not describe the nature of the problem; however, they said a business continuity plan has been implemented to minimize disruption, and all of the other university and college IT systems are working as normal and are not impacted. “This will likely take some time to complete,” the spokesperson said of its ongoing investigation. “Investigations have found no evidence that data has been taken or transferred without authorization. We have also received third-party assurance that the incident is contained.” They say the situation has moved on since the email seen by WIRED was sent, and it is not possible to characterize the level of disruption across all departments.

While little is known about the current “malicious activity,” the University of Cambridge was among a number of academic institutions, including the University of Manchester, hit by a distributed denial-of-service attack on February 19. Hacktivist group Anonymous Sudan claimed responsibility for the DDoS incident—it is unclear whether the ongoing outage is linked in any way. The day after the DDoS, the Clinical School Computing Service posted on X that the disruption to the network appeared to be “largely over,” and a university spokesperson said that normal service “should now be restored” for centrally managed IT services.

The UK’s data regulator, the Information Commissioner’s Office, tells WIRED that the University of Cambridge had made it aware of an incident and that the regulator is “making enquiries.” Meanwhile, a spokesperson for the UK’s National Cybersecurity Center says it is “working with the University of Cambridge to fully understand the impact of an incident.”

The university’s status page for IT issues lists the vast majority of services as being online, with replacements taking place for some routers on its wireless networks. However, at the time of writing, the website for the medical school displays only basic contact information, and the CSCS website appears to be offline and inaccessible. A newsletter from the Stem Cell Institute, sent on February 27, acknowledged there had been “some IT issues on campus” and that it was postponing a seminar as a result. More recent newsletters from the Institute do not reference the issues.

The email sent to staff and seen by WIRED recommended people follow best security practices, including using multifactor authentication for accounts and using strong passwords, and advised that people change their passwords immediately if they receive a notice saying someone else has logged in to their account from another device.

‘Malicious Activity’ Hits the University of Cambridge’s Medical School

Ubuntu Security Notice 6718-1 - Dan Fandrich discovered that curl would incorrectly use the default set of protocols when a parameter option disabled all protocols without adding any, contrary to expectations. This issue only affected Ubuntu 23.10. It was discovered that curl incorrectly handled memory when limiting the amount of headers when HTTP/2 server push is allowed. A remote attacker could possibly use this issue to cause curl to consume resources, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6718-1  
March 27, 2024

curl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:  
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Dan Fandrich discovered that curl would incorrectly use the default set of  
protocols when a parameter option disabled all protocols without adding  
any, contrary to expectations. This issue only affected Ubuntu 23.10.  
(CVE-2024-2004)

It was discovered that curl incorrectly handled memory when limiting the  
amount of headers when HTTP/2 server push is allowed. A remote attacker  
could possibly use this issue to cause curl to consume resources, leading  
to a denial of service. (CVE-2024-2398)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   curl                            8.2.1-1ubuntu3.3  
   libcurl3-gnutls                 8.2.1-1ubuntu3.3  
   libcurl3-nss                    8.2.1-1ubuntu3.3  
   libcurl4                        8.2.1-1ubuntu3.3

Ubuntu 22.04 LTS:  
   curl                            7.81.0-1ubuntu1.16  
   libcurl3-gnutls                 7.81.0-1ubuntu1.16  
   libcurl3-nss                    7.81.0-1ubuntu1.16  
   libcurl4                        7.81.0-1ubuntu1.16

Ubuntu 20.04 LTS:  
   curl                            7.68.0-1ubuntu2.22  
   libcurl3-gnutls                 7.68.0-1ubuntu2.22  
   libcurl3-nss                    7.68.0-1ubuntu2.22  
   libcurl4                        7.68.0-1ubuntu2.22

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6718-1  
   CVE-2024-2004, CVE-2024-2398

Package Information:  
   https://launchpad.net/ubuntu/+source/curl/8.2.1-1ubuntu3.3  
   https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.16  
   https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.22

Ubuntu Security Notice USN-6718-1

Red Hat Security Advisory 2024-1530-03 - An update for expat is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1530.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: expat security update  
Advisory ID:        RHSA-2024:1530-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1530  
Issue date:         2024-03-26  
Revision:           03  
CVE Names:          CVE-2023-52425  
====================================================================

Summary: 

An update for expat is now available for Red Hat Enterprise Linux 9.

'Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Expat is a C library for parsing XML documents.

Security Fix(es):

* expat: parsing large tokens can trigger a denial of service (CVE-2023-52425)

* expat: XML Entity Expansion (CVE-2024-28757)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-52425

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index  
https://bugzilla.redhat.com/show_bug.cgi?id=2262877  
https://bugzilla.redhat.com/show_bug.cgi?id=2268766

Red Hat Security Advisory 2024-1530-03

Red Hat Security Advisory 2024-1515-03 - An update for squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1515.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security and bug fix updateAdvisory ID:        RHSA-2024:1515-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1515Issue date:         2024-03-26Revision:           03CVE Names:          CVE-2024-25111====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP and HTTP data objects.Security Fix(es):* squid: Denial of Service in HTTP Chunked Decoding (CVE-2024-25111)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-25111References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268366

Red Hat Security Advisory 2024-1515-03

Red Hat Security Advisory 2024-1458-03 - Red Hat OpenShift Container Platform release 4.14.18 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1458.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.18 bug fix and security update  
Advisory ID:        RHSA-2024:1458-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1458  
Issue date:         2024-03-27  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.18 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.18. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:1461

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-44487) (CVE-2023-39325)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://issues.redhat.com/browse/OCPBUGS-10795  
https://issues.redhat.com/browse/OCPBUGS-18640  
https://issues.redhat.com/browse/OCPBUGS-23205  
https://issues.redhat.com/browse/OCPBUGS-29237  
https://issues.redhat.com/browse/OCPBUGS-30027  
https://issues.redhat.com/browse/OCPBUGS-30878  
https://issues.redhat.com/browse/OCPBUGS-30980

Tag

#dos