Multiple vulnerabilities in OpenShift Container Platform 4.13



Published: 2023-08-31
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2022-41723
CVE-2022-27664
CVE-2023-3899
CWE-ID CWE-400
CWE-20
CWE-863
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Red Hat OpenShift Container Platform
Client/Desktop applications / Software for system administration

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU72686

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-41723

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the HPACK decoder. A remote attacker can send a specially crafted HTTP/2 stream to the application, cause resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Container Platform: 4.13.0 - 4.13.9

Fixed software versions

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2023:4731


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Input validation error

EUVDB-ID: #VU67396

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-27664

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Container Platform: 4.13.0 - 4.13.9

Fixed software versions

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2023:4731


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Incorrect authorization

EUVDB-ID: #VU79878

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-3899

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect authorization caused by D-Bus interface com.redhat.RHSM1 that exposes a significant number of methods to all users. A local user can abuse the com.redhat.RHSM1.Config.SetAll() method to change the state of the registration and escalate privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Container Platform: 4.13.0 - 4.13.9

Fixed software versions

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2023:4731


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###