SB2020050431 - Red Hat OpenShift Container Platform 4.4 update for cri-o 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020050431

SB2020050431 - Red Hat OpenShift Container Platform 4.4 update for cri-o

Published: May 4, 2020

Security Bulletin ID SB2020050431
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2020-1702)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application reads the entire image manifest file into memory. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack by supplying a huge manifest file.


2) Use-after-free (CVE-ID: CVE-2020-8945)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error, as demonstrated by use for container image pulls by Docker or CRI-O. A remote attacker can crash the target system, or cause potential code execution for Go applications that use this library under certain conditions during GPG signature verification.


Remediation

Install update from vendor's website.

References