SB2024062744 - Multiple vulnerabilities in Red Hat build of MicroShift 4.16 packages

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024062744

SB2024062744 - Multiple vulnerabilities in Red Hat build of MicroShift 4.16 packages

Published: June 27, 2024

Security Bulletin ID SB2024062744
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Infinite loop (CVE-ID: CVE-2024-24786)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing data in an invalid JSON format within the protojson.Unmarshal() function. A remote attacker can consume all available system resources and cause denial of service conditions.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-3177)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions. A remote user can launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.


Remediation

Install update from vendor's website.

References