Red Hat Security Advisory 2024-8235-03 - Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, and out of bounds write vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8235.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.39 security update  
Advisory ID:        RHSA-2024:8235-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8235  
Issue date:         2024-10-28  
Revision:           03  
CVE Names:          CVE-2023-29401  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.39. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8238

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* glibc: Out of bounds write in iconv may lead to remote code execution  
(CVE-2024-2961)  
* openstack-ironic: Specially crafted image may allow authenticated users  
to gain access to potentially sensitive data (CVE-2024-44082)  
* golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize  
filename parameter of Context.FileAttachment function (CVE-2023-29401)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)  
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP)  
(CVE-2023-48795)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-29401

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2216957  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2273404  
https://bugzilla.redhat.com/show_bug.cgi?id=2309331  
https://issues.redhat.com/browse/OCPBUGS-25727  
https://issues.redhat.com/browse/OCPBUGS-32266  
https://issues.redhat.com/browse/OCPBUGS-37353  
https://issues.redhat.com/browse/OCPBUGS-37552  
https://issues.redhat.com/browse/OCPBUGS-39019  
https://issues.redhat.com/browse/OCPBUGS-41246  
https://issues.redhat.com/browse/OCPBUGS-41836  
https://issues.redhat.com/browse/OCPBUGS-41918  
https://issues.redhat.com/browse/OCPBUGS-42517  
https://issues.redhat.com/browse/OCPBUGS-42518  
https://issues.redhat.com/browse/OCPBUGS-42533  
https://issues.redhat.com/browse/OCPBUGS-42567  
https://issues.redhat.com/browse/OCPBUGS-42603  
https://issues.redhat.com/browse/OCPBUGS-42757  
https://issues.redhat.com/browse/OCPBUGS-42828  
https://issues.redhat.com/browse/OCPBUGS-42986

Red Hat Security Advisory 2024-8235-03

A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers.

Russian, Chinese, and Iranian state-backed hackers have been active throughout the 2024 United States campaign season, compromising digital accounts associated with political campaigns, spreading disinformation, and probing election systems. But in a report from early October, the threat-sharing and coordination group known as the Election Infrastructure ISAC warned that cybercriminals like ransomware attackers pose a far greater risk of launching disruptive attacks than foreign espionage actors.

While state-backed actors were emboldened following Russia's meddling in the 2016 US presidential election, the report points out that they favor intelligence-gathering and influence operations rather than disruptive attacks, which would be viewed as direct hostility against the US government. Ideologically and financially motivated actors, on the other hand, generally aim to cause disruption with hacks like ransomware or DDoS attacks.

The document was first obtained by the national security transparency nonprofit Property of the People and viewed by WIRED. The US Department of Homeland Security, which contributed to the report and distributed it, did not return WIRED's requests for comment. The Center for Internet Security, which runs the Election Infrastructure ISAC, declined to comment.

“Since the 2022 midterm elections, financially and ideologically motivated cyber criminals have targeted US state and local government entity networks that manage or support election processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial-of-service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality but did not compromise the integrity of voting processes … Nation-state-affiliated cyber actors have not attempted to disrupt US elections infrastructure, despite reconnaissance and occasionally acquiring access to non-voting infrastructure."

According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were unsuccessful attempts by unknown actors. Two percent were unsuccessful attempts by known actors, and 3 percent were successful attempts “to gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state, and federal authorities help prevent breaches and mitigate the fallout of successful attacks.

In general, government-backed hackers may stoke geopolitical tension by conducting particularly aggressive digital espionage, but their activity isn't inherently escalatory so long as they are abiding by espionage norms. Criminal hackers are bound by no such restrictions, though they can call too much attention to themselves if their attacks are too disruptive and risk a law enforcement crackdown.

The report cites an incident from March, for example, in which an unnamed US county “experienced a ransomware attack that forced it to purchase new network devices and reconnect to the state-level election system.” If such an attack occurred on or around Election Day, it could meaningfully disrupt voting.

More broadly, domestic security concerns in connection with the 2024 election have skyrocketed, fostering what DHS calls a “heightened threat environment.” Reporting by WIRED this month revealed that the agency has been issuing warnings to law enforcement across the US since summer, alarmed by the efforts of some extremists to mobilize and commit actual violence against elected officials, while targeting US voter ballots for destruction.

Other warnings show that concern is mounting over propaganda calling for Americans to engage in “civil war,” a narrative that DHS fears is raising the risk of domestic attacks. Threats tied to what the government calls “immigration-related grievances”—including the false narrative of “migrant invasion,” which is core to Donald Trump’s reelection efforts—have escalated this year, while expanding to ensnare federal judges and US border patrol officers deemed “traitors” among some antigovernment groups.

“Targeted violence and terrorism associated with ideologically motivated individuals will continue to be a threat through the 2024 election cycle,” says another intelligence report also obtained by WIRED. It warns, meanwhile, that “insider threats” affiliated with US election systems will “likely be an issue.”

Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-mgfv-m47x-4wqp: useragent Regular Expression Denial of Service vulnerability

insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

GHSA-w455-mfq9-hf74: insane vulnerable to Regular Expression Denial of Service

Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

GHSA-68qg-g787-3rp5: Knwl.js Regular Expression Denial of Service vulnerability

Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

GHSA-rv73-9c8w-jp4c: validate.js Regular Expression Denial of Service vulnerability

CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

GHSA-pmvv-57rg-5g86: CommonRegexJS Regular Expression Denial of Service vulnerability

Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available.

GHSA-p8pc-3f7w-jr5q: Foundation Regular Expression Denial of Service vulnerability

Nope is a JavaScript validator. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability is fixed in 0.12.1.

GHSA-3phv-83cj-p8p7: nope-validator Regular Expression Denial of Service vulnerability

Funadmin 5.0.2 has a logical flaw in the Curd one click command deletion function, which can result in a Denial of Service (DOS).

**Logic flaw in Funadmin**

High severity GitHub Reviewed Published Oct 25, 2024 to the GitHub Advisory Database • Updated Oct 25, 2024

Tag

#dos