SB2023062336 - Multiple vulnerabilities in OpenShift Container Platform 4.13

Main Vulnerability Database SB2023062336

SB2023062336 - Multiple vulnerabilities in OpenShift Container Platform 4.13

Published: June 23, 2023

Security Bulletin ID SB2023062336

Severity

High

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

2) Resource management error (CVE-ID: CVE-2022-41724)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources in crypto/tls when handling large TLS handshake records. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.

The vulnerability affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

3) Resource exhaustion (CVE-ID: CVE-2022-41725)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper control over internal resources in net/http and mime/multipart. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

4) Resource exhaustion (CVE-ID: CVE-2023-24534)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.

5) Resource management error (CVE-ID: CVE-2023-24536)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within mime/multipart and net/textproto components when parsing multipart forms. A remote attacker can pass specially crafted request to the application and perform a denial of service (DoS) attack.

6) Infinite loop (CVE-ID: CVE-2023-24537)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when calling any of the Parse functions on Go source code which contains //line directives with very large line numbers. A remote attacker can consume all available system resources and cause denial of service conditions.

7) Code Injection (CVE-ID: CVE-2023-24538)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in html/template when handling JavaScript templates that contain backticks in code. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary JavaScript code into the Go template.

8) Code Injection (CVE-ID: CVE-2023-24540)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation when processing whitespace characters. A remote attacker can send a specially crafted request and execute arbitrary JavaScript code.

9) Improper access control (CVE-ID: CVE-2023-27561)

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to improper access restrictions in the libcontainer/rootfs_linux.go. A local user can gain elevated privileges on the target system.

10) Improper access control (CVE-ID: CVE-2019-19921)

The vulnerability allows a local user to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions, related to libcontainer/rootfs_linux.go in runc. A local user with ability to spawn two containers with custom volume-mount configurations, and run custom images can escalate privileges on the system.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2023:3612

Vulnerable Software

Red Hat OpenShift Container Platform: 4.13.0 - 4.13.3
runc (Red Hat package): before 1.1.6-4.rhaos4.13.el8
containernetworking-plugins (Red Hat package): before 1.0.1-7.rhaos4.13.el8
skopeo (Red Hat package): before 1.11.2-2.rhaos4.13.el8
podman (Red Hat package): before 4.4.1-4.rhaos4.13.el8
openshift (Red Hat package): before 4.13.0-202306072143.p0.g7d22122.assembly.stream.el8
cri-o (Red Hat package): before 1.26.3-9.rhaos4.13.git994242a.el8
conmon (Red Hat package): before 2.1.7-2.rhaos4.13.el8
buildah (Red Hat package): before 1.29.1-2.rhaos4.13.el8
kernel (Red Hat package): before 5.14.0-284.18.1.el9_2
kernel-rt (Red Hat package): before 5.14.0-284.18.1.rt14.303.el9_2