Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17 packages
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU97216
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34156
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to encoding/gob does not properly control consumption of internal resources when calling Decoder.Decode. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Note, this vulnerability is related to #VU66068 (CVE-2024-34156).
Install updates from vendor's website.
openshift4-aws-iso (Red Hat package): before 4.17.0-202410111511.p0.gd2acdd5.assembly.stream.el8
containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.17.el8
butane (Red Hat package): before 0.22.0-2.rhaos4.17.el8
skopeo (Red Hat package): before 1.16.0-3.rhaos4.17.el9
runc (Red Hat package): before 1.1.14-2.rhaos4.17.el9
podman (Red Hat package): before 5.2.3-2.rhaos4.17.el9
ose-gcp-gcr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.g8ce997d.assembly.stream.el9
ose-azure-acr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.gb9204e2.assembly.stream.el9
ose-aws-ecr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.g8c77f41.assembly.stream.el9
openshift-clients (Red Hat package): before 4.17.0-202410160306.p0.g6bf65cc.assembly.stream.el9
openshift-ansible (Red Hat package): before 4.17.0-202410111511.p0.g7fe7411.assembly.stream.el9
openshift (Red Hat package): before 4.17.0-202410151605.p0.g6816ea6.assembly.stream.el9
golang-github-prometheus-promu (Red Hat package): before 0.16.0-19.gitf6c51c9.el9
cri-tools (Red Hat package): before 1.30.0-5.el9
cri-o (Red Hat package): before 1.30.6-5.rhaos4.17.git690d4d6.el9
conmon (Red Hat package): before 2.1.12-5.rhaos4.17.el9
buildah (Red Hat package): before 1.33.7-3.rhaos4.17.el9
Red Hat OpenShift Container Platform: before 4.17.2
CPE2.3http://access.redhat.com/errata/RHSA-2024:8232
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Infinite loop
EUVDB-ID: #VU94792
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-5569
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can pass a specially crafted zip file to the application, consume all available system resources and cause denial of service conditions.
MitigationInstall updates from vendor's website.
openshift4-aws-iso (Red Hat package): before 4.17.0-202410111511.p0.gd2acdd5.assembly.stream.el8
containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.17.el8
butane (Red Hat package): before 0.22.0-2.rhaos4.17.el8
skopeo (Red Hat package): before 1.16.0-3.rhaos4.17.el9
runc (Red Hat package): before 1.1.14-2.rhaos4.17.el9
podman (Red Hat package): before 5.2.3-2.rhaos4.17.el9
ose-gcp-gcr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.g8ce997d.assembly.stream.el9
ose-azure-acr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.gb9204e2.assembly.stream.el9
ose-aws-ecr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.g8c77f41.assembly.stream.el9
openshift-clients (Red Hat package): before 4.17.0-202410160306.p0.g6bf65cc.assembly.stream.el9
openshift-ansible (Red Hat package): before 4.17.0-202410111511.p0.g7fe7411.assembly.stream.el9
openshift (Red Hat package): before 4.17.0-202410151605.p0.g6816ea6.assembly.stream.el9
golang-github-prometheus-promu (Red Hat package): before 0.16.0-19.gitf6c51c9.el9
cri-tools (Red Hat package): before 1.30.0-5.el9
cri-o (Red Hat package): before 1.30.6-5.rhaos4.17.git690d4d6.el9
conmon (Red Hat package): before 2.1.12-5.rhaos4.17.el9
buildah (Red Hat package): before 1.33.7-3.rhaos4.17.el9
Red Hat OpenShift Container Platform: before 4.17.2
CPE2.3http://access.redhat.com/errata/RHSA-2024:8232
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU97215
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34155
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to go/parser does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
openshift4-aws-iso (Red Hat package): before 4.17.0-202410111511.p0.gd2acdd5.assembly.stream.el8
containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.17.el8
butane (Red Hat package): before 0.22.0-2.rhaos4.17.el8
skopeo (Red Hat package): before 1.16.0-3.rhaos4.17.el9
runc (Red Hat package): before 1.1.14-2.rhaos4.17.el9
podman (Red Hat package): before 5.2.3-2.rhaos4.17.el9
ose-gcp-gcr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.g8ce997d.assembly.stream.el9
ose-azure-acr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.gb9204e2.assembly.stream.el9
ose-aws-ecr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.g8c77f41.assembly.stream.el9
openshift-clients (Red Hat package): before 4.17.0-202410160306.p0.g6bf65cc.assembly.stream.el9
openshift-ansible (Red Hat package): before 4.17.0-202410111511.p0.g7fe7411.assembly.stream.el9
openshift (Red Hat package): before 4.17.0-202410151605.p0.g6816ea6.assembly.stream.el9
golang-github-prometheus-promu (Red Hat package): before 0.16.0-19.gitf6c51c9.el9
cri-tools (Red Hat package): before 1.30.0-5.el9
cri-o (Red Hat package): before 1.30.6-5.rhaos4.17.git690d4d6.el9
conmon (Red Hat package): before 2.1.12-5.rhaos4.17.el9
buildah (Red Hat package): before 1.33.7-3.rhaos4.17.el9
Red Hat OpenShift Container Platform: before 4.17.2
CPE2.3http://access.redhat.com/errata/RHSA-2024:8232
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU97217
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34158
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to go/build/constraint does not properly control consumption of internal resources when calling Parse on a "// +build" build tag line with deeply nested expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
openshift4-aws-iso (Red Hat package): before 4.17.0-202410111511.p0.gd2acdd5.assembly.stream.el8
containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.17.el8
butane (Red Hat package): before 0.22.0-2.rhaos4.17.el8
skopeo (Red Hat package): before 1.16.0-3.rhaos4.17.el9
runc (Red Hat package): before 1.1.14-2.rhaos4.17.el9
podman (Red Hat package): before 5.2.3-2.rhaos4.17.el9
ose-gcp-gcr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.g8ce997d.assembly.stream.el9
ose-azure-acr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.gb9204e2.assembly.stream.el9
ose-aws-ecr-image-credential-provider (Red Hat package): before 4.17.0-202410111511.p0.g8c77f41.assembly.stream.el9
openshift-clients (Red Hat package): before 4.17.0-202410160306.p0.g6bf65cc.assembly.stream.el9
openshift-ansible (Red Hat package): before 4.17.0-202410111511.p0.g7fe7411.assembly.stream.el9
openshift (Red Hat package): before 4.17.0-202410151605.p0.g6816ea6.assembly.stream.el9
golang-github-prometheus-promu (Red Hat package): before 0.16.0-19.gitf6c51c9.el9
cri-tools (Red Hat package): before 1.30.0-5.el9
cri-o (Red Hat package): before 1.30.6-5.rhaos4.17.git690d4d6.el9
conmon (Red Hat package): before 2.1.12-5.rhaos4.17.el9
buildah (Red Hat package): before 1.33.7-3.rhaos4.17.el9
Red Hat OpenShift Container Platform: before 4.17.2
CPE2.3http://access.redhat.com/errata/RHSA-2024:8232
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
