Multiple vulnerabilities in OpenShift Container Platform 4.9
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-4238 CVE-2022-41912 CVE-2023-0296 |
| CWE-ID | CWE-331 CWE-287 CWE-327 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Red Hat OpenShift Container Platform Client/Desktop applications / Software for system administration |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Insufficient Entropy
EUVDB-ID: #VU71686
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-4238
CWE-ID:
CWE-331 - Insufficient Entropy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient entropy when generating alphanumeric strings within RandomAlphaNumeric and CryptoRandomAlphaNumeric functions, which always return strings containing at least one digit from 0 to 9. A remote attacker can launch brute-force attacks and gain access to sensitive information.
Install updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.54
External linkshttp://access.redhat.com/errata/RHSA-2023:0574
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Authentication
EUVDB-ID: #VU70697
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-41912
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when processing SAML responses containing multiple Assertion elements. A remote attacker can bypass authentication process and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.54
External linkshttp://access.redhat.com/errata/RHSA-2023:0574
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use of a broken or risky cryptographic algorithm
EUVDB-ID: #VU71363
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-0296
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to usage of weak 64-bit block ciphers vulnerable to Birthday attack within the etcd grpc-proxy component. A remote attacker can perform MitM attack.
Install updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.54
External linkshttp://access.redhat.com/errata/RHSA-2023:0574
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
