SB2023010904 - Multiple vulnerabilities in OpenShift Container Platform 4.9

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023010904

SB2023010904 - Multiple vulnerabilities in OpenShift Container Platform 4.9

Published: January 9, 2023 Updated: June 8, 2023

Security Bulletin ID SB2023010904
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 71% Low 14%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) OS Command Injection (CVE-ID: CVE-2022-26945)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Input validation error (CVE-ID: CVE-2022-30321)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an unspecified error. A remote attacker can perform a denial of service (DoS) attack.


3) Input validation error (CVE-ID: CVE-2022-30322)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an unspecified error. A remote attacker can perform a denial of service (DoS) attack.


4) Input validation error (CVE-ID: CVE-2022-30323)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an unspecified error. A remote attacker can perform a denial of service (DoS) attack.


5) Integer underflow (CVE-ID: CVE-2022-2639)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer underflow within the reserve_sfa_size() function in the openvswitch kernel module in Linux kernel. A local user can trigger an out-of-bounds read error and crash the system or escalate privileges.



6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2022-24801)

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests within the twisted.web.http module. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


7) Input validation error (CVE-ID: CVE-2022-34177)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the "file" parameters. A remote user can create or replace arbitrary files on the Jenkins controller file system.


Remediation

Install update from vendor's website.

References