Red Hat Security Advisory 2024-4326-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4326.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat build of Quarkus 3.8.5 release and security update  
Advisory ID:        RHSA-2024:4326-03  
Product:            Red Hat build of Quarkus  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4326  
Issue date:         2024-07-14  
Revision:           03  
CVE Names:          CVE-2024-29857  
====================================================================

Summary: 

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description:

This release of Red Hat build of Quarkus 3.8.5 includes security updates, bug fixes and enhancements. For more information, see the release notes page listed in the References section.

Security Fix(es):

* (CVE-2024-29857) org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service [quarkus-3.8]

* (CVE-2024-30172) org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class [quarkus-3.8]

* (CVE-2024-34447) org.bouncycastle/bcprov-jdk18on: org.bouncycastle: Use of Incorrectly-Resolved Name or Reference [quarkus-3.8]

* (CVE-2024-30171) org.bouncycastle-bcprov-jdk18on: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack) [quarkus-3.8]

Solution:

CVEs:

CVE-2024-29857

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.8  
https://access.redhat.com/articles/4966181  
https://bugzilla.redhat.com/show_bug.cgi?id=2276360  
https://bugzilla.redhat.com/show_bug.cgi?id=2279227  
https://bugzilla.redhat.com/show_bug.cgi?id=2293025  
https://bugzilla.redhat.com/show_bug.cgi?id=2293028  
https://issues.redhat.com/browse/QUARKUS-3540  
https://issues.redhat.com/browse/QUARKUS-3660  
https://issues.redhat.com/browse/QUARKUS-4184  
https://issues.redhat.com/browse/QUARKUS-4318  
https://issues.redhat.com/browse/QUARKUS-4402  
https://issues.redhat.com/browse/QUARKUS-4430  
https://issues.redhat.com/browse/QUARKUS-4431  
https://issues.redhat.com/browse/QUARKUS-4486  
https://issues.redhat.com/browse/QUARKUS-4488  
https://issues.redhat.com/browse/QUARKUS-4489  
https://issues.redhat.com/browse/QUARKUS-4490  
https://issues.redhat.com/browse/QUARKUS-4491  
https://issues.redhat.com/browse/QUARKUS-4492  
https://issues.redhat.com/browse/QUARKUS-4493  
https://issues.redhat.com/browse/QUARKUS-4494  
https://issues.redhat.com/browse/QUARKUS-4495  
https://issues.redhat.com/browse/QUARKUS-4497  
https://issues.redhat.com/browse/QUARKUS-4498  
https://issues.redhat.com/browse/QUARKUS-4499  
https://issues.redhat.com/browse/QUARKUS-4500  
https://issues.redhat.com/browse/QUARKUS-4501  
https://issues.redhat.com/browse/QUARKUS-4502  
https://issues.redhat.com/browse/QUARKUS-4503  
https://issues.redhat.com/browse/QUARKUS-4504  
https://issues.redhat.com/browse/QUARKUS-4505  
https://issues.redhat.com/browse/QUARKUS-4506  
https://issues.redhat.com/browse/QUARKUS-4507  
https://issues.redhat.com/browse/QUARKUS-4508  
https://issues.redhat.com/browse/QUARKUS-4509  
https://issues.redhat.com/browse/QUARKUS-4510  
https://issues.redhat.com/browse/QUARKUS-4511  
https://issues.redhat.com/browse/QUARKUS-4512  
https://issues.redhat.com/browse/QUARKUS-4514  
https://issues.redhat.com/browse/QUARKUS-4515  
https://issues.redhat.com/browse/QUARKUS-4516  
https://issues.redhat.com/browse/QUARKUS-4517  
https://issues.redhat.com/browse/QUARKUS-4518  
https://issues.redhat.com/browse/QUARKUS-4519  
https://issues.redhat.com/browse/QUARKUS-4520  
https://issues.redhat.com/browse/QUARKUS-4522  
https://issues.redhat.com/browse/QUARKUS-4523  
https://issues.redhat.com/browse/QUARKUS-4525  
https://issues.redhat.com/browse/QUARKUS-4526  
https://issues.redhat.com/browse/QUARKUS-4527  
https://issues.redhat.com/browse/QUARKUS-4529  
https://issues.redhat.com/browse/QUARKUS-4530  
https://issues.redhat.com/browse/QUARKUS-4531  
https://issues.redhat.com/browse/QUARKUS-4532  
https://issues.redhat.com/browse/QUARKUS-4533  
https://issues.redhat.com/browse/QUARKUS-4534  
https://issues.redhat.com/browse/QUARKUS-4535  
https://issues.redhat.com/browse/QUARKUS-4536  
https://issues.redhat.com/browse/QUARKUS-4537  
https://issues.redhat.com/browse/QUARKUS-4538  
https://issues.redhat.com/browse/QUARKUS-4539  
https://issues.redhat.com/browse/QUARKUS-4540  
https://issues.redhat.com/browse/QUARKUS-4541  
https://issues.redhat.com/browse/QUARKUS-4542  
https://issues.redhat.com/browse/QUARKUS-4543  
https://issues.redhat.com/browse/QUARKUS-4544  
https://issues.redhat.com/browse/QUARKUS-4545  
https://issues.redhat.com/browse/QUARKUS-4547  
https://issues.redhat.com/browse/QUARKUS-4548  
https://issues.redhat.com/browse/QUARKUS-4549  
https://issues.redhat.com/browse/QUARKUS-4550  
https://issues.redhat.com/browse/QUARKUS-4551  
https://issues.redhat.com/browse/QUARKUS-4552  
https://issues.redhat.com/browse/QUARKUS-4553  
https://issues.redhat.com/browse/QUARKUS-4608

Red Hat Security Advisory 2024-4326-03

Red Hat Security Advisory 2024-2106-03 - An update is now available for Red Hat build of Quarkus.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2106.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat build of Quarkus 3.8.4 release  
Advisory ID:        RHSA-2024:2106-03  
Product:            Red Hat build of Quarkus  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2106  
Issue date:         2024-07-14  
Revision:           03  
CVE Names:          CVE-2024-2700  
====================================================================

Summary: 

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description:

This release of Red Hat build of Quarkus 3.8.4 includes security updates. For more information, see the release notes page listed in the References section.

Security Fix(es):

* CVE-2024-2700 io.quarkus/quarkus-core: Leak of local configuration properties into Quarkus applications [quarkus-3.8]

* TRIAGE CVE-2024-29025 io.netty/netty-codec-http: Allocation of Resources Without Limits or Throttling [quarkus-3.8]

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-2700

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.8  
https://access.redhat.com/products/quarkus/  
https://bugzilla.redhat.com/show_bug.cgi?id=2272907  
https://bugzilla.redhat.com/show_bug.cgi?id=2273281  
https://issues.redhat.com/browse/QUARKUS-4289  
https://issues.redhat.com/browse/QUARKUS-4291  
https://issues.redhat.com/browse/QUARKUS-4293  
https://issues.redhat.com/browse/QUARKUS-4294  
https://issues.redhat.com/browse/QUARKUS-4295  
https://issues.redhat.com/browse/QUARKUS-4296  
https://issues.redhat.com/browse/QUARKUS-4297  
https://issues.redhat.com/browse/QUARKUS-4298  
https://issues.redhat.com/browse/QUARKUS-4301  
https://issues.redhat.com/browse/QUARKUS-4302  
https://issues.redhat.com/browse/QUARKUS-4303  
https://issues.redhat.com/browse/QUARKUS-4306  
https://issues.redhat.com/browse/QUARKUS-4308  
https://issues.redhat.com/browse/QUARKUS-4313  
https://issues.redhat.com/browse/QUARKUS-4314  
https://issues.redhat.com/browse/QUARKUS-4315  
https://issues.redhat.com/browse/QUARKUS-4316  
https://issues.redhat.com/browse/QUARKUS-4317

Red Hat Security Advisory 2024-2106-03

Quantum and post-quantum, what does it mean?Quantum computing is an emerging technology that uses superposition, entanglement and interference to manipulate the state of a qubit (quantum bit) — this allows a quantum computer to evaluate multiple possibilities at the same time because it can hold the existence of opposing values in parallel (like Schrödinger’s cat experiment).This is exciting for the prospects it can provide in computing and at the same time terrifying in the volume of attacks and security breaches it could contribute to. Quantum computing will make attacks possible that a

****Quantum and post-quantum, what does it mean?****

Quantum computing is an emerging technology that uses superposition, entanglement and interference to manipulate the state of a qubit (quantum bit) — this allows a quantum computer to evaluate multiple possibilities at the same time because it can hold the existence of opposing values in parallel (like Schrödinger’s cat experiment).

This is exciting for the prospects it can provide in computing and at the same time terrifying in the volume of attacks and security breaches it could contribute to. Quantum computing will make attacks possible that are not currently practically achievable. For example, RSA-2048 could take more human lifetimes to crack with traditional computing resources than humans will exist. With quantum computing, however, cracking classical cryptography like RSA-2048 becomes not only possible, but achievable within a reasonable period of time.

While quantum computers do not yet exist in a manner widely accessible, continued improvements and advancement in the quantum computing space increase the probability of existing, widespread cryptography being broken and compromised. 

The basis of many core functions for governments, banks and personal privacy are built on cryptography’s ability to facilitate protection of sensitive data from exposure and maintain its authenticity and integrity throughout its life. When the basis of global trust (cryptography) becomes broken, societies and life-essential capabilities are impacted.

The history of cryptography is a war between cryptographers and cryptanalysts. However, since the advent of information technology, much of our cryptographic capabilities have not evolved; we’ve adapted to computational advances by simply increasing the key size to make it significantly more difficult, more resource intensive, and require more time to decrypt protected information. Quantum computers fundamentally change this paradigm. Key size increases will not be enough to prevent adversaries from accessing sensitive data.

"Post-quantum" is the term used to describe technologies that are capable of providing security guarantees which are resistant to the threat quantum computing presents. Without going into significant detail on how quantum computing can break classical cryptography, post-quantum cryptography must resist classical attacks as well as entirely new classes of attacks that take advantage of the capabilities and properties inherent to quantum computing (entanglement, superposition and interference).

****What is Red Hat doing to adopt post-quantum cryptography?****

Red Hat is engaged with various industry groups and open source projects to understand the performance, scalability and security impact that post-quantum cryptographic functions and their quantum-resistant algorithms have. Red Hat will evaluate and test these algorithms, as implemented by crypto-libraries, for incorporation into Red Hat products and projects.

Red Hat is committed to providing customers with functional, quantum-resistant security capabilities as the industry evolves, develops and begins integrating these new cryptographic functions. As the National Institute of Standards and Technology (NIST) continues working to select quantum-resistant algorithms and related protocols are approved by standards bodies (i.e. NIST, Internet Engineering Task Force (IETF), and others), these will be made broadly available for use.

The NIST approval process includes evaluating the maturity of the algorithm and corresponding implementations on a case-by-case basis. This may include monitoring activities by those groups and projects to identify gaps or delayed progress in adopting and integrating approved algorithms and corresponding libraries, and engaging as appropriate to continue advancement in that area.

Many world governments have proposed initial timelines for software manufacturers to provide post-quantum cryptographic functions. The dependency ecosystem that provides cryptographic functions is inherently complex, however, and the order of operations in making these changes globally will take significant time and testing in order to verify that existing transactions, communication protocols, protection mechanisms and signing flows are all still functional.

Red Hat anticipates that the proposed timelines will shift as cryptographic functions are approved and packages and libraries begin incorporating these functions within their existing release cycles. Red Hat has collected requirements and timeline expectations from the United States (US), Czech Republic, Germany, France and other governments to make sure that the event-driven roadmap addresses and is aligned with the defined outcomes of these government bodies.

****Red Hat’s phases of post-quantum cryptography inclusion****

As part of Red Hat’s ongoing efforts to address quantum computing and quantum resistance in Red Hat products and their upstream projects, Red Hat plans to roll out these efforts in three initial phases. Additional phases may be added later to identify deprecation and eventual removal of classical cryptography with enforcement to prevent attackers from forcing systems to switch to less-secure cryptography, referred to as downgrade attacks.

For the purposes of these phases, references to post-quantum cryptographic functions are inclusive of quantum-resistant algorithms, which may be symmetric or asymmetric but still subject to approval by the aforementioned standards bodies.

**Classical** is the phase at which a given product or service does not include any post-quantum cryptographic functions.

**Post-Quantum Capable (PQ-capable)** is the phase at which a given product or service includes some post-quantum cryptographic functions. Post-quantum cryptographic functions may not be available for all applications and/or may not be configured to be default; classical cryptography and algorithms are still available for all applications and may be the default.

**Post-Quantum Ready (PQ-ready)** is the phase at which a given product or service includes post-quantum cryptographic functions by default for most applications, with classical cryptography and algorithms available to be configured by users who still need to retain classical methods for interoperability. PQ-Ready also supports approved hybrid schemes (classical and post-quantum) as they are available. Hybrid schemes combine the use of classical and post-quantum algorithms. In the event that a classical algorithm is defeated, the system remains secured through post-quantum algorithms. Should a post-quantum algorithm be defeated, the system remains secured through classical algorithms.

In the next article of this series, you’ll learn what to expect of Red Hat products as they begin adoption of post-quantum cryptographic functions and what you can do to assist your organization in achieving crypto-agility with Red Hat.

****More information****

If you have additional questions, please reach out to your Red Hat account manager. Red Hat is committed to supporting customers in achieving and maintaining post-quantum security.

Learn more about post-quantum cryptography

Red Hat’s path to post-quantum cryptography

Red Hat Security Advisory 2024-4522-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4522.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:4522-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4522Issue date:         2024-07-12Revision:           03CVE Names:          CVE-2024-28102====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: jinja2: accepts keys containing non-attribute characters (CVE-2024-34064)* automation-controller: jwcrypto: malicious JWE token can cause denial of service (CVE-2024-28102)* automation-controller: requests: subsequent requests to the same host ignore cert verification (CVE-2024-35195)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* Fixed a bug where the controller does not respect \"DATABASES[‘OPTIONS’]\" setting, if specified (AAP-26398)* Changed all uses of \"ImplicitRoleField\" to perform an \"on_delete=SET_NULL\" (AAP-25136)* Fixed the HostMetric automated counter to display the correct values (AAP-25115)* Added Django logout redirects (AAP-24543)* automation-controller has been updated to 4.5.8Additional changes:* aap-metrics-utility has been updated to 0.3.0 (AAP-25875)* ansible-core has been updated to 2.15.12 (AAP-25536)Solution:CVEs:CVE-2024-28102References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268758https://bugzilla.redhat.com/show_bug.cgi?id=2279476https://bugzilla.redhat.com/show_bug.cgi?id=2282114

Red Hat Security Advisory 2024-4522-03

Red Hat Security Advisory 2024-4520-03 - The Migration Toolkit for Containers 1.7.16 is now available. Issues addressed include a memory exhaustion vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4520.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Migration Toolkit for Containers (MTC) 1.7.16 security and bug fix update  
Advisory ID:        RHSA-2024:4520-03  
Product:            Red Hat Migration Toolkit  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4520  
Issue date:         2024-07-11  
Revision:           03  
CVE Names:          CVE-2023-45290  
====================================================================

Summary: 

The Migration Toolkit for Containers (MTC) 1.7.16 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

* webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)

* golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)

* golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)

* golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)

* golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)

* envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood (CVE-2024-30255)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-45290

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2268019  
https://bugzilla.redhat.com/show_bug.cgi?id=2268021  
https://bugzilla.redhat.com/show_bug.cgi?id=2268022  
https://bugzilla.redhat.com/show_bug.cgi?id=2270863  
https://bugzilla.redhat.com/show_bug.cgi?id=2272986

Red Hat Security Advisory 2024-4520-03

Red Hat Security Advisory 2024-4329-03 - Red Hat OpenShift Container Platform release 4.14.32 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a bypass vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4329.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.32 bug fix and security update  
Advisory ID:        RHSA-2024:4329-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4329  
Issue date:         2024-07-11  
Revision:           03  
CVE Names:          CVE-2023-48795  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.32 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.32. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:4332

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* openshift/telemeter: iss check during JWT authentication can be bypassed  
(CVE-2024-5037)  
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP)  
(CVE-2023-48795)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-48795

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2272339  
https://issues.redhat.com/browse/OCPBUGS-30259  
https://issues.redhat.com/browse/OCPBUGS-32472  
https://issues.redhat.com/browse/OCPBUGS-33942  
https://issues.redhat.com/browse/OCPBUGS-33964  
https://issues.redhat.com/browse/OCPBUGS-34885  
https://issues.redhat.com/browse/OCPBUGS-35012  
https://issues.redhat.com/browse/OCPBUGS-35183  
https://issues.redhat.com/browse/OCPBUGS-35290  
https://issues.redhat.com/browse/OCPBUGS-35365  
https://issues.redhat.com/browse/OCPBUGS-35401  
https://issues.redhat.com/browse/OCPBUGS-35475  
https://issues.redhat.com/browse/OCPBUGS-35482  
https://issues.redhat.com/browse/OCPBUGS-35520  
https://issues.redhat.com/browse/OCPBUGS-35549  
https://issues.redhat.com/browse/OCPBUGS-35553  
https://issues.redhat.com/browse/OCPBUGS-35723  
https://issues.redhat.com/browse/OCPBUGS-35750  
https://issues.redhat.com/browse/OCPBUGS-35826  
https://issues.redhat.com/browse/OCPBUGS-35827  
https://issues.redhat.com/browse/OCPBUGS-35877  
https://issues.redhat.com/browse/OCPBUGS-35889  
https://issues.redhat.com/browse/OCPBUGS-35913  
https://issues.redhat.com/browse/OCPBUGS-35957  
https://issues.redhat.com/browse/OCPBUGS-35989  
https://issues.redhat.com/browse/OCPBUGS-36356  
https://issues.redhat.com/browse/OCPBUGS-36369  
https://issues.redhat.com/browse/OCPBUGS-36416  
https://issues.redhat.com/browse/OCPBUGS-36464

Red Hat Security Advisory 2024-4329-03

Red Hat Security Advisory 2024-4505-03 - Moderate: An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4505.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update (RHBQ 3.8.5.GA)  
Advisory ID:        RHSA-2024:4505-03  
Product:            Red Hat Build of Apache Camel  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4505  
Issue date:         2024-07-11  
Revision:           03  
CVE Names:          CVE-2024-29857  
====================================================================

Summary: 

Moderate: An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.5.GA).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.

Description:

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.5.GA).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:  
* CVE-2024-29857 org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service  
* CVE-2024-30172 org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class  
* CVE-2024-30171 org.bouncycastle-bcprov-jdk18on: bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)

Solution:

CVEs:

CVE-2024-29857

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/cve/CVE-2024-29857  
https://access.redhat.com/security/cve/CVE-2024-30172  
https://access.redhat.com/security/cve/CVE-2024-30171  
https://bugzilla.redhat.com/show_bug.cgi?id=2276360  
https://bugzilla.redhat.com/show_bug.cgi?id=2293025  
https://bugzilla.redhat.com/show_bug.cgi?id=2293028

Red Hat Security Advisory 2024-4505-03

Red Hat Security Advisory 2024-4504-03 - An update for httpd is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a HTTP response splitting vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4504.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: httpd security updateAdvisory ID:        RHSA-2024:4504-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4504Issue date:         2024-07-11Revision:           03CVE Names:          CVE-2023-27522====================================================================Summary: An update for httpd is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-27522References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2176211

Red Hat Security Advisory 2024-4504-03

Red Hat Security Advisory 2024-4499-03 - An update for ruby is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4499.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: ruby security updateAdvisory ID:        RHSA-2024:4499-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4499Issue date:         2024-07-11Revision:           03CVE Names:          CVE-2023-36617====================================================================Summary: An update for ruby is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.Security Fix(es):* rubygem-uri: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755 (CVE-2023-36617)* ruby: Buffer overread vulnerability in StringIO (CVE-2024-27280)* ruby: RCE vulnerability with .rdoc_options in RDoc (CVE-2024-27281)* ruby: Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282)* REXML: DoS parsing an XML with many `<`s in an attribute value (CVE-2024-35176)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36617References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2218614https://bugzilla.redhat.com/show_bug.cgi?id=2270749https://bugzilla.redhat.com/show_bug.cgi?id=2270750https://bugzilla.redhat.com/show_bug.cgi?id=2276810https://bugzilla.redhat.com/show_bug.cgi?id=2280894

Red Hat Security Advisory 2024-4499-03

Red Hat Security Advisory 2024-4464-03 - Red Hat Advanced Cluster Management for Kubernetes 2.10.4 General Availability release images, which apply security fixes and fix bugs. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4464.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Low: Red Hat Advanced Cluster Management 2.10.4 security updates and bug fixes  
Advisory ID:        RHSA-2024:4464-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4464  
Issue date:         2024-07-11  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.10.4 General  
Availability release images, which apply security fixes and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.10.4 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/release_notes/index

Security fix:

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

Jira issues addressed:

* ACM-11006: Trying to edit an Application from ACM console fails with error: 'Cannot read properties of undefined'

* ACM-11662 endpoint-observability-operator has an extra replicaset that keeps spawning pods that gets killed constantly, causing alerts to fire

* ACM-11961: Auto import of managed clusters remains stuck on switching hubs

* ACM-11986: Managed clusters created by RHACM do not reconnect to an AODP restored ACM on their own

* ACM-12133: Edit an existing appsub results on creating another subscription with errors

* ACM-12405: Unable to deploy Latest OCP 4.16 - generating manifests fails with 'GLIBC_2.34' not found

* ACM-12436: \"Could not start a watch request\" error when using OperatorPolicy

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html-single/install/index#installing

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#low  
https://issues.redhat.com/browse/ACM-11006  
https://issues.redhat.com/browse/ACM-11662  
https://issues.redhat.com/browse/ACM-11961  
https://issues.redhat.com/browse/ACM-11986  
https://issues.redhat.com/browse/ACM-12028  
https://issues.redhat.com/browse/ACM-12091  
https://issues.redhat.com/browse/ACM-12133  
https://issues.redhat.com/browse/ACM-12258  
https://issues.redhat.com/browse/ACM-12405  
https://issues.redhat.com/browse/ACM-12436

Tag

#red_hat