OpenShift Container Platform 4.11 update for golang



Published: 2022-08-24
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-30629
CWE-ID CWE-330
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Red Hat OpenShift Container Platform
Client/Desktop applications / Software for system administration

openshift-kuryr (Red Hat package)
Operating systems & Components / Operating system package or component

openshift-clients (Red Hat package)
Operating systems & Components / Operating system package or component

openshift-ansible (Red Hat package)
Operating systems & Components / Operating system package or component

openshift (Red Hat package)
Operating systems & Components / Operating system package or component

ignition (Red Hat package)
Operating systems & Components / Operating system package or component

cri-o (Red Hat package)
Operating systems & Components / Operating system package or component

console-login-helper-messages (Red Hat package)
Operating systems & Components / Operating system package or component

butane (Red Hat package)
Operating systems & Components / Operating system package or component

python-kubernetes (Red Hat package)
Operating systems & Components / Operating system package or component

NetworkManager (Red Hat package)
Operating systems & Components / Operating system package or component

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Use of insufficiently random values

EUVDB-ID: #VU66122

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-30629

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker gain access to sensitive information.

The vulnerability exists in crypto/tls implementation when generating TLS tickets age. The newSessionTicketMsgTLS13.ageAdd is always set to "0" instead of a random value.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Container Platform: 4.11.0

openshift-kuryr (Red Hat package): 4.11.0-202206232036.p0.g66c0cec.assembly.stream.el8

openshift-clients (Red Hat package): 4.11.0-202207291716.p0.g7075089.assembly.stream.el8

openshift-ansible (Red Hat package): 4.11.0-202206240216.p0.g9de1722.assembly.stream.el8

openshift (Red Hat package): 4.11.0-202207082037.p0.g9546431.assembly.stream.el8

ignition (Red Hat package): 2.14.0-3.rhaos4.11.el8

cri-o (Red Hat package): 1.24.1-11.rhaos4.11.gitb0d2ef3.el8

console-login-helper-messages (Red Hat package): 0.20.3-1.rhaos4.6.el8 - 0.20.3-2.rhaos4.11.el8

butane (Red Hat package): 0.15.0-1.rhaos4.11.el8

python-kubernetes (Red Hat package): before 24.2.0-1.el8

NetworkManager (Red Hat package): before 1.36.0-8.el8_6

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2022:6102


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###