SB2023070604 - Multiple vulnerabilities in OpenShift Container Platform 4.10

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

2) Inadequate Encryption Strength (CVE-ID: CVE-2023-3089)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists within the OpenShift container platform configuration with enabled FIPS mode, which resulted in usage of not validated cryptographic modules. A remote attacker can perform various attacks against not validated cryptographic modules and gain access to sensitive information.

3) Code Injection (CVE-ID: CVE-2023-24540)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation when processing whitespace characters. A remote attacker can send a specially crafted request and execute arbitrary JavaScript code.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2023:3910"
• https://access.redhat.com/errata/RHSA-2023:3910</a></p><p>
• https://access.redhat.com/errata/RHSA-2023:3911</p><p><br></p>