ID

VAR-202302-0482

CVE

CVE-2022-4304

TITLE

OpenSSL  side-channel vulnerabilities in

DESCRIPTION

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. (CVE-2022-4304) A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function. Under certain conditions. (CVE-2023-0286). OpenSSL Security Advisory [7th February 2023] ============================================= X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) ================================================================= Severity: High There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only). This issue was reported on 11th January 2023 by David Benjamin (Google). The fix was developed by Hugo Landau. OpenSSL 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only). An initial report of a possible timing side channel was made on 14th July 2020 by Hubert Kario (Red Hat). A refined report identifying a specific timing side channel was made on 15th July 2022 by Hubert Kario. The fix was developed by Dmitry Belyavsky (Red Hat) and Hubert Kario. X.509 Name Constraints Read Buffer Overflow (CVE-2022-4203) =========================================================== Severity: Moderate A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. The read buffer overrun might result in a crash which could lead to a denial of service attack. In theory it could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext) although we are not aware of any working exploit leading to memory contents disclosure as of the time of release of this advisory. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported to OpenSSL on 3rd November 2022 by Corey Bonnell from Digicert. The fix was developed by Viktor Dukhovni. Use-after-free following BIO_new_NDEF (CVE-2023-0215) ===================================================== Severity: Moderate The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected. OpenSSL 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only). This issue was reported on 29th November 2022 by Octavio Galland and Marcel Böhme (Max Planck Institute for Security and Privacy). The fix was developed by Viktor Dukhovni and Matt Caswell. Double free after calling PEM_read_bio_ex (CVE-2022-4450) ========================================================= Severity: Moderate The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. OpenSSL 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t. OpenSSL 1.0.2 is not affected by this issue. This issue was discovered by CarpetFuzz and reported on 8th December 2022 by Dawei Wang. The fix was developed by Kurt Roeckx and Matt Caswell. Invalid pointer dereference in d2i_PKCS7 functions (CVE-2023-0216) ================================================================== Severity: Moderate An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported on 27th December 2022 by Marc Schönefeld. The fix was developed by Tomas Mraz. NULL dereference validating DSA public key (CVE-2023-0217) ========================================================== Severity: Moderate An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported on 27th December 2022 by Kurt Roeckx. The fix was developed by Shane Lontis from Oracle. NULL dereference during PKCS7 data verification (CVE-2023-0401) =============================================================== Severity: Moderate A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data. OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. This issue was reported on 13th January 2023 by Hubert Kario and Dmitry Belyavsky (Red Hat). The fix was developed by Tomas Mraz. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20230207.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/general/security-policy.html . ========================================================================== Ubuntu Security Notice USN-6564-1 January 03, 2024 nodejs vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Node.js. Software Description: - nodejs: An open-source, cross-platform JavaScript runtime environment. Details: Hubert Kario discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. (CVE-2022-4304) CarpetFuzz, Dawei Wang discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-4450) Octavio Galland and Marcel Böhme discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-0215) David Benjamin discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. (CVE-2023-0286) Hubert Kario and Dmitry Belyavsky discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-0401) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libnode-dev 12.22.9~dfsg-1ubuntu3.3 libnode72 12.22.9~dfsg-1ubuntu3.3 nodejs 12.22.9~dfsg-1ubuntu3.3 In general, a standard system update will make all the necessary changes. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-10326 - Re-enable operator-install-single-namespace.spec.ts test OCPBUGS-11143 - [Azure] Replace master failed as new master did not add into lb backend OCPBUGS-11974 - User telemetry is broken (inaccurate) due to the fact that page titles are not unique. OCPBUGS-12206 - [4.13] Keep systemd journal using LZ4 compression (via new env var) OCPBUGS-12256 - ptp operator socket management need rework since a few test case fails due to cleaning up the file before other processes are terminated. OCPBUGS-12743 - [4.13] SNO cluster deployment failing due to authentication and console CO in degraded state OCPBUGS-12785 - [release-4.13] Enable/Disable plugin options are not shown on Operator details page OCPBUGS-13311 - Kubelet CA file not written by MCD firstboot OCPBUGS-13323 - [4.13] Bootimage bump tracker OCPBUGS-13642 - [release-4.13] OLM k8sResourcePrefix x-descriptor dropdown unexpectedly clears selections OCPBUGS-13747 - [4.13] cgroupv1 support for cpu balancing is broken for non-SNO nodes OCPBUGS-13752 - AdditionalTrustBundle is only included when doing mirroring OCPBUGS-13809 - OVN image pre-puller pod uses `imagePullPolicy: Always` and blocks upgrade when there is no registry OCPBUGS-13812 - [azure] Installer doesn't validate diskType on ASH which lead to install fails with unsupported disktype OCPBUGS-14030 - Invalid CA certificate bundle provided by service account token OCPBUGS-14166 - Make Serverless form is broken OCPBUGS-14189 - Route Checkbox getting checked even if it is unchecked during editing the Serverless Function form OCPBUGS-14251 - Add new console metrics to cluster-monitoring-operator telemetry configuration (4.13) OCPBUGS-14267 - [Openshift Pipelines] Metrics page is broken OCPBUGS-14310 - Could not import multiple resources via JSON (while YAML supports this) OCPBUGS-14318 - [release-4.13] gather podDisruptionBudget only from openshift namespaces OCPBUGS-14336 - [Openshift Pipelines] Link to Openshift Route from service is breaking because of hardcoded value of targetPort OCPBUGS-14426 - Failed to list Kepler CSV OCPBUGS-14459 - The MCD repeats a "State and Reason" log line even when nothing is happening OCPBUGS-14482 - Sync RHEL9 Dockerfiles to regular Dockerfiles OCPBUGS-14598 - Update Jenkins to use 4.13 images OCPBUGS-14773 - (release-4.13) gather "gateway-mode-config" config map from "openshift-network-operator" namespace OCPBUGS-14867 - When installing SNO with bootstrap in place it takes cluster-policy-controller 6 minutes to acquire the leader lease OCPBUGS-14916 - images: RHEL-8-based container image is broken OCPBUGS-14943 - visiting Configurations page returns error Cannot read properties of undefined (reading 'apiGroup') OCPBUGS-15031 - (release-4.13) Insights config not correctly deserialized OCPBUGS-15101 - IngressVIP getting attach to two nodes at once OCPBUGS-15130 - Helm Repository "Edit" button results in 404 OCPBUGS-15139 - The whereabouts-reconciler should not set an hard-coded node selector on the kubernetes.io/architecture label OCPBUGS-15161 - CPMS: Surface cpms vs machine diff OCPBUGS-15171 - CPO doesn't skip AWS resource deletion for 'Unknown' OIDC state OCPBUGS-15187 - images: RHEL-8 container image is missing `xz` OCPBUGS-15224 - [4.13] openvswitch user is not in the hugetblfs group OCPBUGS-15225 - while/after upgrading to OKD 4.11 2023-01-14 CoreDNS has a problem with UDP overflows OCPBUGS-15228 - Create helm release page doesn't show a YAML editor when schema isn't available (httpd-imagestreams chart) OCPBUGS-15230 - Allow installer to use existing Azure NSG during OpenShift IPI install OCPBUGS-15246 - Bump to kubernetes 1.26.6 OCPBUGS-15281 - Leftover IngressController Preventing Clean Uninstall OCPBUGS-15289 - GCP XPN Installs Require bindPrivateDNSZone Permission in host project OCPBUGS-15330 - CPMSO: fix linting issue comment in test OCPBUGS-15335 - PipelineRun failed with log 'Tasks Completed: 3 (Failed: 1, Cancelled 0), Skipped: 1.' OCPBUGS-15360 - Serverless functions UI warning is misleading OCPBUGS-15372 - [4.13z] Duplicate acls cause network policy failure for namespaces with long names (>61 chars) OCPBUGS-15376 - [4.13] Cleanup Tech debt: remove unused repo code OCPBUGS-15410 - [release-4.13] Add Git Repository (PAC) doesn't setup GitLab and Bitbucket configuration correct OCPBUGS-15434 - [GWAPI] [4.13.z] The DNS provider failed to ensure the record, invalid value for name (gcp) OCPBUGS-15457 - python-grpcio and python-protobuf are unneeded dependencies OCPBUGS-15463 - [release-4.13] Unable to set protectKernelDefaults from "true" to "false" in kubelet.conf [release-4.13] OCPBUGS-15465 - [CI Watcher] Testing uninstall of Business Automation Operator "attempts to uninstall the Operator and delete all Operand Instances, shows 'Error Deleting Operands' alert" OCPBUGS-15476 - Network Operator not setting its version and blocking upgrade completion OCPBUGS-15481 - [CI Watcher] Broken pipeline-plugin e2e tests: PipelineResource CRD isn't installed anymore OCPBUGS-15512 - HCP Service Loadbalancer uses default SecurityGroup OCPBUGS-15515 - CI fails on TestAWSELBConnectionIdleTimeout OCPBUGS-15557 - TUI stuck on agent installer network boot setup OCPBUGS-15580 - updated nmstate builds will not work for MCO OCPBUGS-15585 - [4.13] Cannot fix a misconfigured Egress Firewall OCPBUGS-15586 - [4.13] NetworkPolicy not working as expected when allowing inbound traffic from any namespace OCPBUGS-15589 - Dynamic conversion webhook clientConfig not retained as operator installs OCPBUGS-15591 - GCP bootstrap VM should allow SecureBoot setting on 4.13 clusters OCPBUGS-15606 - Can't use git lfs in BuildConfig git source with strategy Docker OCPBUGS-15608 - [release-4.13] Clean up old RHEL9 dockerfiles to reduce confusion OCPBUGS-15720 - Helm Chart installation form hangs on create if JSON-schema is using 2019-09 or 2020-20 standard revisions OCPBUGS-15721 - Helm Chart installation form hangs on create if JSON-schema contains unknown value format OCPBUGS-15722 - Helm Chart installation screen fails to render if JSON schema contains remote $refs OCPBUGS-15734 - [4.13] binary should be compiled on RHEL9 OCPBUGS-15736 - TuneD reverts node level profiles on termination OCPBUGS-15738 - tuned daemonset rprivate default mount propagation with `hostPath: path: /` volumeMount breaks CSI driver relying on multipath OCPBUGS-15746 - Alibaba clusters are TechPreview and should not be upgradeable OCPBUGS-15756 - [release-4.13] Bump Jenkins and Jenkins Agent Base image versions OCPBUGS-15777 - ironic-agent-image PRs permafailing due to udevadm command missing OCPBUGS-15782 - [OSD] There is no error message shown on node label edit modal OCPBUGS-15787 - Project admins cannot see 'Pipelines' section in 'import from git' from RHOCP4 web console OCPBUGS-15808 - [4.13.x] Downstream OLM PSA plug-in is disabled OCPBUGS-15848 - The upgrade Helm Release tab in OpenShift GUI Developer console is not refreshing with updated values. OCPBUGS-15892 - 9% of OKD tests failing on error: tag latest failed: Internal error occurred: registry.centos.org/dotnet/dotnet-31-centos7:latest: Get "https://registry.centos.org/v2/": dial tcp: lookup registry.centos.org on 172.30.0.10:53: no such host OCPBUGS-15962 - ovn-k8s-cni-overlay: /lib64/libc.so.6: version `GLIBC_2.34' not found on 4.12-to-4.13 OCPBUGS-15965 - Active Endpoint Connection blocks cluster uninstallation OCPBUGS-16084 - [4.13] OCP 4.14.0-ec.3 machine-api-controller pod crashing OCPBUGS-7762 - openshift-tests does not file Azure Disk zone topology 6. Bug Fix(es): * [4.12] must-gather doesn't collect ruletebles (BZ#2208641) * nft rules are not collected if the VMs are running in the node where must-gather is running (BZ#2214454) * [cnv-4.12] kubevirt should allow setting cluster-wide virt-launcher runtimeclass (BZ#2217913) * USB-redirection regression (BZ#2221222) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 2027959 - [RFE] virt-launcher pod of Windows VM stuck in terminating state, no button in the UI to force power off 2182056 - Cloned VM should not use the same PVC of the source VM 2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace 2208641 - [4.12] must-gather doesn't collect ruletebles 2209318 - [4.12.z] VM connected to a VLAN is also receiving packets from VLAN 1 2209848 - OpenShift Virtualization Overview page shows no metrics for "All Projects" 2212085 - CVE-2023-3089 openshift: OCP & FIPS mode 2214454 - nft rules are not collected if the VMs are running in the node where must-gather is running 2216447 - must-gather: Multiple empty files under vms/<vm-name> if the VM was live migrated 2216449 - must-gather is using unavailable brctl command 2217913 - [cnv-4.12] kubevirt should allow setting cluster-wide virt-launcher runtimeclass 2220843 - [4.12]Missing StorageProfile defaults for IBM and AWS EFS CSI provisioners 2221222 - USB-redirection regression 2222011 - [4.12]DataImportCron Garbage Collection can mistakenly delete latest PVC 5. Solution: For instructions on how to install and use OpenShift Serverless, see documentation linked from the References section. Bugs fixed (https://bugzilla.redhat.com/): 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing 2185507 - Release of OpenShift Serverless Serving 1.29.0 2185509 - Release of OpenShift Serverless Eventing 1.29.0 5. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - noarch Red Hat Enterprise Linux CRB (v. 9) - aarch64, noarch, x86_64 3. Description: EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1960321 - CVE-2021-38578 edk2: integer underflow in SmmEntryPoint function leads to potential SMM privilege escalation 1983086 - Assertion failure when creating 1024 VCPU VM: [...]UefiCpuPkg/CpuMpPei/CpuBist.c(186): !EFI_ERROR (Status) 2125336 - Please add edk2-aarch64 and edk2-tools to CRB in RHEL 9 2132951 - edk2: Sort traditional virtualization builds before Confidential Computing builds 2157656 - [edk2] [aarch64] Unable to initialize EFI firmware when using edk2-aarch64-20221207gitfff6d81270b5-1.el9 in some hardwares 2162307 - Broken GRUB output on a serial console 2164440 - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName 2164487 - CVE-2022-4304 openssl: timing attack in RSA Decryption implementation 2164492 - CVE-2023-0215 openssl: use-after-free following BIO_new_NDEF 2164494 - CVE-2022-4450 openssl: double free after calling PEM_read_bio_ex 2168046 - [edk2] BIOS Release Date string is unexpected length 2174605 - [EDK2] disable dynamic mmio window 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: edk2-20221207gitfff6d81270b5-9.el9_2.src.rpm noarch: edk2-aarch64-20221207gitfff6d81270b5-9.el9_2.noarch.rpm edk2-ovmf-20221207gitfff6d81270b5-9.el9_2.noarch.rpm Red Hat Enterprise Linux CRB (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Bugs fixed (https://bugzilla.redhat.com/): 1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated 2126276 - CVE-2021-43138 async: Prototype Pollution in async 2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS 2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process 5. JIRA issues fixed (https://issues.redhat.com/): OSSM-3596 - Port istio-cni fix for RHEL9 to maistra-2.2 OSSM-3720 - Port egress-gateway wrong network gateway endpoints fix in maistra-2.2 OSSM-3783 - operator can deadlock when istiod deployment fails [maistra-2.2] 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.13.4 bug fix and security update Advisory ID: RHSA-2023:3614-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:3614 Issue date: 2023-06-22 CVE Names: CVE-2022-4304 CVE-2022-4450 CVE-2022-41723 CVE-2023-0215 CVE-2023-0361 CVE-2023-24329 CVE-2023-24540 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.13.4 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.4. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2023:3612 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html Security Fix(es): * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags. The sha values for the release are (For x86_64 architecture) The image digest is sha256:e3fb8ace9881ae5428ae7f0ac93a51e3daa71fa215b5299cd3209e134cadfc9c (For s390x architecture) The image digest is sha256:52f4c09586047c61465a24ceed2f5724024f5a5ef25da46e6078330f0dac08b2 (For ppc64le architecture) The image digest is sha256:24763eafbee5a36c699bff8f4103bcfcd8fec9ef0c7fe30c0ab5c208bdab7044 (For aarch64 architecture) The image digest is sha256:13b14f0514d24d241d40ebacac9f15f93acebc4a7849e4740df49e65e48af424 All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-11116 - [RHOCP 4.13] MetalLB operator should be able to run other than default service account OCPBUGS-11768 - [4.13] RHCOS misses udev rules for GCE PD NVMe disks OCPBUGS-11824 - MetalLB operator doesnt show up when disconnected env is selected in operator hub OCPBUGS-13374 - [4.13] Forced BMH reboot fails when image URL has changed OCPBUGS-14024 - Master stuck in a creating/deleting loop when drop vmsize field from the CPMS providerSpec OCPBUGS-14298 - Upgrade to OCP 4.13.0 stuck due to machine-config error 'failed to run- nmstatectl: exit status 1' OCPBUGS-14357 - [4.13] configure-ovs blocks ssh access to the node when unhealthy OCPBUGS-14410 - It must be possible to append a piece of FRR configuration to what MetalLB renders OCPBUGS-14436 - Metric for control plane upgrade time OCPBUGS-14490 - HostedClusterConfigOperator doesn't check OperatorHub object in the Hosted Cluster OCPBUGS-14571 - Check permission and accessibility of non-default SCs on vSphere platform for CSI OCPBUGS-14589 - container_network* metrics stop reporting after container restart OCPBUGS-14620 - KCM is not aware of the AWS Region ap-southeast-3 OCPBUGS-14635 - Maximum Number Of Egress IPs Supported OCPBUGS-14651 - disable debug pporf with unauthenticated port OCPBUGS-14672 - Should update with --include-local-oci-catalogs for --oci-registries-config options OCPBUGS-14801 - KCM is not aware of the AWS Region ap-southeast-3 OCPBUGS-14830 - MetalLB has a bad CSV for 4.13.3. Invalid service account OCPBUGS-14850 - Unable to do post-copy migration OCPBUGS-14860 - GCP XPN Private Cluster fails with no public zone OCPBUGS-14872 - Hypershift operator should honor 'hostedcluster.spec.configuration.ingress.loadBalancer.platform.aws.type' OCPBUGS-14895 - Do not fail creating cgroups OCPBUGS-14981 - place holder for log linking in 4.13.4 OCPBUGS-8681 - [GWAPI] the gateway pod and service are still there after deleting gateway resource 6. References: https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-24540 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/11258 7. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZJVrjNzjgjWX9erEAQhIHhAAhCXJNMPx8UUsQ4Zff6rFht4F3T7JTNYA BXxVKEeeuD0lVGhCDoolyeEZpN3qePrNvBhbl0YjBCbz0114y3bqaKA9vljIkeRT 5bzmyTlViCiwCoTy82kadUIi9+YvXoI3LEWmWEeOeGZFSpwM2OMpflJ591FJIwFt 9szRX9TWkzF3DoGH/GOVv1h2oLHMNquBE3/5vhosLCZ5o65V7F+TWz8UbVsgfHPV imszrxicBgsrKsAhql1Owr4T5TXcwM0xRXDnaxnnipb3eecXjZDpPf/nIjgumEjw cyE2LPQ9wQZ5e5QGRi+FThWYDpN2hsc9s1ymAzYc1dU7N3veXtKOMOAXsl0e9ePL zH7SAnbWiqI3MzQSO1An28DSqN6vg3aSW8WW+z6ti7QJQRiHqb7JiO/Mb33OqbI7 Bb2zoPy7WIJlrQCda3HfwzZfrhj70qQjqIx3Dtjx/12ZzPtI9bo4eSNBeW6Xkw/E c0iwkO412zsWaqLbvue90lrb+fSA6hMVjv7YtG/b2tFbXEigk9kA9OAmkNBA/n76 l7Fd8GUX6sA0OUMOMCOhsrtfxz10BHopMMxEuFcQh3EZDMzsrVvNjqSr0Shxv4Xx wB4gh3SS5eWT6cKC8P29Ly0PTnpI0GJ74o3odFjbEV1lpqs6vynDtjW9SyUICPeE R6c9v/00vMo= =P9KS -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

overflow

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-07-04T21:13:57.177000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE