SB2023032255 - OpenShift Container Platform 4.11 update for GoUtils 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023032255

SB2023032255 - OpenShift Container Platform 4.11 update for GoUtils

Published: March 22, 2023

Security Bulletin ID SB2023032255
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Insufficient Entropy (CVE-ID: CVE-2021-4238)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient entropy when generating alphanumeric strings within RandomAlphaNumeric and CryptoRandomAlphaNumeric functions, which always return strings containing at least one digit from 0 to 9. A remote attacker can launch brute-force attacks and gain access to sensitive information.


2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-25725)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP/1 requests. A remote attacker can send a specially crafted HTTP request with empty fields, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


Remediation

Install update from vendor's website.

References