Red Hat OpenShift Container Platform 3.11 update for cri-o



Published: 2022-06-22
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-1708
CWE-ID CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		openshift-kuryr (Red Hat package)
Operating systems & Components / Operating system package or component

openshift-enterprise-cluster-capacity (Red Hat package)
Operating systems & Components / Operating system package or component

openshift-enterprise-autoheal (Red Hat package)
Operating systems & Components / Operating system package or component

openshift-ansible (Red Hat package)
Operating systems & Components / Operating system package or component

golang-github-prometheus-prometheus (Red Hat package)
Operating systems & Components / Operating system package or component

golang-github-prometheus-node_exporter (Red Hat package)
Operating systems & Components / Operating system package or component

golang-github-prometheus-alertmanager (Red Hat package)
Operating systems & Components / Operating system package or component

golang-github-openshift-oauth-proxy (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-openshift-web-console (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-openshift-service-idler (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-openshift-node-problem-detector (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-openshift-metrics-server (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-openshift-dockerregistry (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-openshift-descheduler (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-openshift-cluster-autoscaler (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-openshift (Red Hat package)
Operating systems & Components / Operating system package or component

atomic-enterprise-service-catalog (Red Hat package)
Operating systems & Components / Operating system package or component

cri-o (Red Hat package)
Operating systems & Components / Operating system package or component

Red Hat OpenShift Container Platform
Client/Desktop applications / Software for system administration

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource exhaustion

EUVDB-ID: #VU64008

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1708

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the ExecSync request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

openshift-kuryr (Red Hat package): 3.11.153-1.git.1.073ef06.el7 - 3.11.705-1.g0c4bf66.el7

openshift-enterprise-cluster-capacity (Red Hat package): 3.11.16-1.git.380.1406f2f.el7 - 3.11.705-1.g22be164.el7

openshift-enterprise-autoheal (Red Hat package): 3.11.16-1.git.219.5443970.el7 - 3.11.705-1.gf2f435d.el7

openshift-ansible (Red Hat package): 3.11.16-1.git.0.4ac6f81.el7 - 3.11.705-1.git.0.ad19a48.el7

golang-github-prometheus-prometheus (Red Hat package): 3.11.16-1.git.5020.5e81ed1.el7 - 3.11.705-1.g99aae51.el7

golang-github-prometheus-node_exporter (Red Hat package): 3.11.16-1.git.1056.1583d2a.el7 - 3.11.705-1.g609cd20.el7

golang-github-prometheus-alertmanager (Red Hat package): 3.11.16-1.git.0.be735ec.el7 - 3.11.705-1.g13de638.el7

golang-github-openshift-oauth-proxy (Red Hat package): 3.11.16-1.git.409.922769e.el7 - 3.11.705-1.gedebe84.el7

atomic-openshift-web-console (Red Hat package): 3.11.16-1.git.289.ecf7441.el7 - 3.11.705-1.ge59c860.el7

atomic-openshift-service-idler (Red Hat package): 3.11.16-1.git.14.a65cbf0.el7 - 3.11.705-1.g39cfc66.el7

atomic-openshift-node-problem-detector (Red Hat package): 3.11.16-1.git.198.95f4dfa.el7 - 3.11.705-1.gc8f26da.el7

atomic-openshift-metrics-server (Red Hat package): 3.11.16-1.git.52.9fd74a8.el7 - 3.11.705-1.gf8bf728.el7

atomic-openshift-dockerregistry (Red Hat package): 3.11.51-1.git.446.d29ce0e.el7 - 3.11.705-1.g0fa231c.el7

atomic-openshift-descheduler (Red Hat package): 3.11.16-1.git.300.abfab3c.el7 - 3.11.705-1.gd435537.el7

atomic-openshift-cluster-autoscaler (Red Hat package): 3.11.16-1.git.0.8c8305e.el7 - 3.11.705-1.g99b2acf.el7

atomic-openshift (Red Hat package): 3.11.16-1.git.0.b48b8f8.el7 - 3.11.705-1.git.0.7a17a5d.el7

atomic-enterprise-service-catalog (Red Hat package): 3.11.16-1.git.1633.05087cb.el7 - 3.11.705-1.g2e6be86.el7

Red Hat OpenShift Container Platform: 3.11.0 - 3.11.705

cri-o (Red Hat package): 1.11.16-0.2.dev.rhaos3.11.git3f89eba.el7 - 1.11.16-0.16.rhaos3.11.git54f9e69.el7

External links

http://access.redhat.com/errata/RHSA-2022:4999


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###