Red Hat Security Advisory 2023-7606-03 - Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7606.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.13.25 packages and security update  
Advisory ID:        RHSA-2023:7606-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7606  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-40225  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.25. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7604

Security Fix(es):

* haproxy: Proxy forwards malformed empty Content-Length headers (CVE-2023-40225)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-40225

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2231370

Red Hat Security Advisory 2023-7606-03

Red Hat Security Advisory 2023-7604-03 - Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7604.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.25 bug fix and security update  
Advisory ID:        RHSA-2023:7604-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7604  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.25. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2023:7606

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-11316  
https://issues.redhat.com/browse/OCPBUGS-18106  
https://issues.redhat.com/browse/OCPBUGS-22126  
https://issues.redhat.com/browse/OCPBUGS-23504  
https://issues.redhat.com/browse/OCPBUGS-23536

Red Hat Security Advisory 2023-7604-03

Red Hat Security Advisory 2023-7602-03 - Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7602.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.25 security and extras update  
Advisory ID:        RHSA-2023:7602-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7602  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.25 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.25. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7604

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7602-03

Red Hat Security Advisory 2023-7599-03 - Red Hat OpenShift Container Platform release 4.14.5 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7599.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.5 bug fix and security update  
Advisory ID:        RHSA-2023:7599-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7599  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.5 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.5. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2023:7603

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://issues.redhat.com/browse/OCPBUGS-10126  
https://issues.redhat.com/browse/OCPBUGS-22286  
https://issues.redhat.com/browse/OCPBUGS-22363  
https://issues.redhat.com/browse/OCPBUGS-22430  
https://issues.redhat.com/browse/OCPBUGS-23426  
https://issues.redhat.com/browse/OCPBUGS-23490  
https://issues.redhat.com/browse/OCPBUGS-23751  
https://issues.redhat.com/browse/OCPBUGS-23906

Red Hat Security Advisory 2023-7599-03

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.

Most Machine Language (ML) tools — including the development frameworks used for managing ML life cycles — are relatively new, which means they could well  have security vulnerabilities. 

After finding two Common Vulnerabilities and Exposures (CVEs)  in the Togglz web console (the cross-site scripting \[XSS\] CVE-2020-28192 and the cross-site request forgery \[CSRF\]  CVE-2020-28191), I decided to check out MLflow, a development framework for ML life cycle management, thinking that it could potentially be vulnerable. 

It was. Specifically, I found a misconfigured application programming interface (API) that fails to check the content-type header. This means that an attacker can make a simple request to localhost without triggering a preflight — i.e., an HTTP request of the OPTIONS method, sent before the request itself, in order to determine if it is safe to send the request. I found that this could be done in MLflow by using a text/plain content type, instead of the more proper application/JavaScript Object Notation (JSON) content type. 

**An existential threat to companies being built around ML **

The result is an extremely dangerous vulnerability that threatens ML models: A successful attack can lead to the leaking of both an ML model and all training data to an attacker. This is an existential threat to companies being built around an ML model. Given a successful exploit of this vulnerability, an attacker could gain access/control that would be the equivalent of gaining write access with the source code of a company that writes software. 

I reported this CVE — designated CVE-2023-43472 — on Sept. 5, 2023 and directly emailed Databricks, the original creator and current maintainer of MLflow. I informed Databricks that I would be giving a talk describing the issue at the DefCamp security conference on Friday, Nov. 24. As of Nov. 29, Databricks reported that it was working on a fix that was scheduled to be released later this week.

This CVE impacts all versions of MLflow from at least 2.6.0, and most likely all 2.x versions. 

I'm not sure exactly how widely used MLflow is, but based on the number of stars it’s garnered on GitHub, it’s more popular than the Kubernetes-based Kubeflow: 15.9K stars for MLflow, vs. 13.2K for Kubeflow. For what it’s worth, when Canonical recently announced its Charmed MLflow MLops platform, Canonical Vice President of Product Management Cédric Gégout called MLflow “the leading AI framework for streamlining all ML stages.” 

**The vulnerability**

The MLflow user interface (http://localhost:5000/) contains a REST API. Normally, this wouldn't be vulnerable to Simple Request Attacks, as the POST request uses a content type of application/JSON, which would trigger a preflight request and therefore would not be vulnerable.

But in this case, the API doesn't check the content type header. Therefore, it’s possible to trigger a request with a content type of text/plain.

As can be seen in the above Request/Response, while the request body is valid JSON, the content-type set is text/plain. The API should reject this request, given that it’s of an unexpected type, but the API apparently doesn’t check the content type.

Using that, if you can get the MLflow user to visit a website for which you control the JavaScript — say, by creating a MLfLow tutorial website — you can effectively modify the Default Experiment and set the artifact location to a globally writable S3 bucket that you control. An adversary can then use that to exfiltrate any data sent to the bucket.

Unfortunately, the API is lacking some functionality. You can neither modify Experiments artifact\_uri via the API nor delete the Default Experiment. But you can create new ones and modify the existing experiment name, so the new experiment is named “Default.”

The attack does the following:

*   Modify the Default experiment name to "Old.”

*   Create a new experiment named "Default" with an artifact\_uri of an S3 bucket.

*   Once a new MLFLow run is done — e.g., mlflow run sklearn\_elasticnet\_wine -P alpha=0.5, experiment-name Default — the result of the run will be uploaded to the S3 bucket.

The payload is available here. 

**Impact**

This vulnerability allows an attacker to exfiltrate a serialized version of the ML model and the data used to train the model, if the attacker is able to get the MLFlow user to access a website they control.

**Attacking a developer environment via drive-by localhost attacks**

To put this vulnerability into context, there’s a widespread belief that services that are only bound to localhost are not accessible from the outside world. Unfortunately, this is not always the case. Developers, for the sake of convenience, configure the services that they are developing in a less secure way compared with how they would (hopefully!) configure them in higher-security environments. 

By compromising websites used by developers — simply by injecting JavaScript into advertisements served on those sites or by serving up a phishing attack that gets the developer to open a web browser on a compromised page — it is possible to reach out via non-pre-flighted HTTP requests to those services bound to localhost, either by exploiting common misconfigurations in the Spring application framework or via known vulnerabilities found by myself, including the recently disclosed CVE that I found in the popular Quarkus Java framework.

As I demonstrated during Friday’s Def Camp talk, it is possible to generate a remote code execution (RCE) on the developer’s machine or on other services on their private network. Given that developers have write access to codebases, AWS keys, server credentials, etc., access to the developer’s machine gives an attacker a great deal of scope to pivot to other resources on the network, as well as to either modify or to entirely steal the codebase.

**Easy to exploit**

CVE-2023-43472 would be relatively simple to exploit: an attacker merely has to get a target to visit a website that they control. At that point, the attacker can silently modify the location the data is saved to to be an S3 bucket under their control.

An exploit could be used to send data to a globally writable S3 bucket, from which it can be exfiltrated. 

Amazon S3 buckets are used to store all sorts of data: they’re just a way to store data programmatically in the cloud. There are no AWS security guardrails that could limit the extent of damage somebody could do in an exploit, given that the S3 bucket is created and owned by the attacker. 

**How this could affect ML models**

A successful exploit could lead to more than data exfiltration. Given that an ML model is stored in the bucket, there would be potential to poison the ML model itself. In such an attack, an adversary is able to inject bad data into the model’s training pool, causing it to learn something it shouldn’t. 

If/when the model is read by the victim, there’s also the potential for a modified model.pkl file to contain a Python pickle exploit, which can lead to RCE on the victim’s machine.

**What to do**

MLflow users should upgrade to the new version as soon as it's available.

**Read more:**

*   Contrast discovers zero-day flaw in popular Quarkus Java framework (blog)
*   Contrast API Security Testing Platform (product page)
*   Hands-on testing and protecting APIs (virtual workshop) 
*   Defense-in-depth web AppSec: The case for having both RASP and WAF (white paper PDF)
*   The Future of API Security (webinar)
*   Protecting Apis: An Uphill Battle (white paper PDF)
*   Building a modern API security strategy: A five-part series — Overview (blog)

CVE-2023-43472: Contrast discovers MLflow framework zero-day that threatens to poison machine language models

Microcks up to 1.17.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /jobs and /artifact/download. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.

    

**Microcks - Kubernetes native tool for API Mocking & Testing**

Microcks is a platform for turning your API and microservices assets - _OpenAPI specs_, _AsyncAPI specs_, _gRPC protobuf_, _GraphQL schema_, _Postman collections_, _SoapUI projects_ - into live mocks in seconds.

It also reuses these assets for running compliance and non-regression tests against your API implementation. We provide integrations with _Jenkins_, _GitHub Actions_, _Tekton_ and many others through a simple CLI.

**Getting Started**

*   Documentation

To get involved with our community, please make sure you are familiar with the project's Code of Conduct.

**Build Status**

The current development version is 1.8.1-SNAPSHOT. 

**Sonarcloud Quality metrics**

      

**Versions**

Here are the naming conventions we're using for current releases, ongoing development maintenance activities.

Status

Version

Branch

Container images tags

Stable

1.8.0

master

1.8.0, latest

Dev

1.8.1-SNAPSHOT

1.8.x

nightly

Maintenance

1.7.2-SNAPSHOT

1.7.x

maintenance

**How to build Microcks**

The build instructions are available in the contribution guide.

**Thanks to community!**

CVE-2023-48910: GitHub - microcks/microcks: Kubernetes native tool for mocking and testing API and micro-services. Microcks is a Cloud Native Computing Foundation sandbox project 🚀

Red Hat Security Advisory 2023-7473-01 - Red Hat OpenShift Container Platform release 4.14.4 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7473.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.4 packages and security update  
Advisory ID:        RHSA-2023:7473-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7473  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-25577  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.4 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.14.4. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7470

Security Fix(es):

* python-werkzeug: high resource usage when parsing multipart form data  
with many fields (CVE-2023-25577)  
* haproxy: Proxy forwards malformed empty Content-Length headers  
(CVE-2023-40225)  
* python-werkzeug: high resource consumption leading to denial of service  
(CVE-2023-46136)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

CVEs:

CVE-2023-25577

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2170242  
https://bugzilla.redhat.com/show_bug.cgi?id=2231370  
https://bugzilla.redhat.com/show_bug.cgi?id=2246310

Red Hat Security Advisory 2023-7473-01

Red Hat Security Advisory 2023-7470-01 - Red Hat OpenShift Container Platform release 4.14.4 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7470.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.4 bug fix and security update  
Advisory ID:        RHSA-2023:7470-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7470  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.4 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.4. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2023:7473

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-44487) (CVE-2023-39325)  
* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://issues.redhat.com/browse/OCPBUGS-19678  
https://issues.redhat.com/browse/OCPBUGS-21761  
https://issues.redhat.com/browse/OCPBUGS-21868  
https://issues.redhat.com/browse/OCPBUGS-22688  
https://issues.redhat.com/browse/OCPBUGS-22774  
https://issues.redhat.com/browse/OCPBUGS-22996  
https://issues.redhat.com/browse/OCPBUGS-23150  
https://issues.redhat.com/browse/OCPBUGS-23210  
https://issues.redhat.com/browse/OCPBUGS-23212  
https://issues.redhat.com/browse/OCPBUGS-23315  
https://issues.redhat.com/browse/OCPBUGS-23392  
https://issues.redhat.com/browse/OCPBUGS-23393  
https://issues.redhat.com/browse/OCPBUGS-23408  
https://issues.redhat.com/browse/OCPBUGS-23423  
https://issues.redhat.com/browse/OCPBUGS-23450  
https://issues.redhat.com/browse/OCPBUGS-23505  
https://issues.redhat.com/browse/OCPBUGS-23508  
https://issues.redhat.com/browse/OCPBUGS-283

Red Hat Security Advisory 2023-7470-01

Amazon Web Services announced enhancements to several of its security tools, including GuardDuty, Inspector, Detective, IAM Access Analyzer, and Secrets Manager, to name a few during its re:Invent event.

Source: Techa Tungateja via Alamy Stock Photo

Amazon Web Services has been unveiling a steady stream of announcements during its AWS re:Invent 2023 event in Las Vegas this week. As expected, the focus over the four days has been on artificial intelligence (AI) as AWS strives to show that its offerings can match – or surpass – those from Google Cloud and Microsoft Azure. But even beyond generative AI, AWS is highlighting enhancements to its threat detection, vulnerability assessment, and security policy tools.

First up: AWS has expanded Amazon GuardDuty with Amazon GuardDuty EC2 Runtime Monitoring and Amazon GuardDuty ECS Runtime Monitoring. GuardDuty EC2 Runtime Monitoring, now in preview, introduces runtime threat detection for Amazon Elastic Compute Cloud workloads to give security teams visibility into on-host, operating system-level activities. It also provides container-level context into threats. Amazon GuardDuty ECS Runtime Monitoring uses a lightweight security agent to extend threat detection for workloads running on EC2 and AWS Fargate.

AWS Secrets Manager now supports a single API call to identify and retrieve a group of secrets associated with the application. The BatchGetSecretValue API simplifies developer workflows. And administrators can now enter their own customer-specific security controls in AWS Security Hub to customize security posture monitoring.

**Generative AI to Security**

AWS is adding generative AI to its security tools Amazon Inspector and Amazon Detective. Amazon Inspector, a code-scanning tool for AWS Lambda functions, offers assisted code remediation using generative AI and automated reasoning and can provide in-context code patches for multiple vulnerability classes. Amazon Detective helps security investigations by using generative AI to analyze multiple activities related to potential security events and find group summaries.

Additionally, Amazon Inspector has agentless vulnerability scanning for Amazon Elastic Cloud Compute instances in preview. Amazon Detective now supports log retrieval from Amazon Security Lake and investigating AWS identity and access management entities for indicators of compromise.

**Identity and Access Announcements**

The AWS Identity and Access Manager (IAM) Access Analyzer continuously analyzes user accounts to identify unused access privileges and permissions to help administrators implement the principle of least privilege. Security teams can review the findings to prioritize which accounts need action. The tool also provides custom policy checks to validate that IAM policies adhere to the organization's security standards before systems are deployed.

Amazon EKS Pod Identity allows administrators to define required IAM permissions for applications in Amazon Elastic Kubernetes Service clusters. This allows the applications to connect with AWS services outside of the cluster.

Finally, AWS announced support for mutually authenticating clients presenting X509 certificates to Application Load Balancer. This helps administrators offload client authentication to the load balancer to ensure only trusted clients are able to access the organization's cloud applications.

**About the Author(s)**

Rundown of Security News From AWS re:Invent 2023

PRESS RELEASE

HERZLIYA, Israel, Nov. 29, 2023 /PRNewswire/ -- XM Cyber, the leader in hybrid cloud exposure management, today announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments. Kubernetes Exposure Management helps security teams protect critical assets running in Kubernetes clusters across public cloud, private cloud, and on-premises infrastructure.

The new solution delivers continuous visibility into vulnerabilities, risky permissions, and misconfigurations that could allow attackers to breach Kubernetes environments and access valuable data and applications. By extending XM Cyber's industry-leading XM Attack Graph Analysis™ to Kubernetes, organizations can now see integrated risks across hybrid environments and intelligently prioritize remediation based on potential impact to critical assets.

"We are early adopters of XM Cyber's new Kubernetes features in order to achieve full transparency into our customer environments", said Moritz Tuerk, Chief Product Owner Security for SAP Product Engineering. "With the comprehensive attack path view, we can enhance the security of the SAP cloud even further than what is currently possible."

Key benefits of XM Cyber's Kubernetes Exposure Management include:

*   360-Degree Visibility: Gain a comprehensive view of risks and excessive permissions across all Kubernetes assets.
    
*   Protection for Sensitive Resources: Ensure the security of vital Kubernetes resources like ConfigMaps and Secrets.
    
*   Cross-Environment Analysis that reduces remediation efforts: Perform multi-step attack modeling, risk assessment, and prioritization that considers the needs of multiple domains.
    
*   Rapid Time-to-Value: Initial deployment can be completed in hours to unlock actionable exposure insights from day one.
    

Security issues have caused 67% of companies to delay or slow down Kubernetes deployment. XM Cyber's Kubernetes Exposure Management capabilities are aimed at helping security teams tackle this emerging risk vector head-on.

"Kubernetes adoption is accelerating, but securing these highly complex environments remains a huge challenge," said Boaz Gorodissky, CTO at XM Cyber. "Our new Kubernetes Exposure Management equips security teams with the comprehensive visibility and automated control they urgently need to reduce attack surfaces and proactively protect critical container workloads."

To learn more about XM Cyber, please visit: https://xmcyber.com/solution-briefs/kubernetes-continuous-exposure-management/.

About XM Cyber

XM Cyber is a leading hybrid cloud exposure management company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, Asia Pacific and Israel.

You May Also Like

Tag

#kubernetes