Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.12

Published: 2024-11-07

Risk	Medium
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2024-34156 CVE-2024-44082 CVE-2024-9341 CVE-2024-9676 CVE-2024-34155 CVE-2024-34158
CWE-ID	CWE-400 CWE-284 CWE-20 CWE-61
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	kernel-rt (Red Hat package) Operating systems & Components / Operating system package or component runc (Red Hat package) Operating systems & Components / Operating system package or component openshift4-aws-iso (Red Hat package) Operating systems & Components / Operating system package or component openshift-kuryr (Red Hat package) Operating systems & Components / Operating system package or component openshift-ansible (Red Hat package) Operating systems & Components / Operating system package or component haproxy (Red Hat package) Operating systems & Components / Operating system package or component containernetworking-plugins (Red Hat package) Operating systems & Components / Operating system package or component container-selinux (Red Hat package) Operating systems & Components / Operating system package or component butane (Red Hat package) Operating systems & Components / Operating system package or component skopeo (Red Hat package) Operating systems & Components / Operating system package or component podman (Red Hat package) Operating systems & Components / Operating system package or component openstack-ironic-python-agent (Red Hat package) Operating systems & Components / Operating system package or component openstack-ironic (Red Hat package) Operating systems & Components / Operating system package or component openshift-clients (Red Hat package) Operating systems & Components / Operating system package or component openshift (Red Hat package) Operating systems & Components / Operating system package or component ignition (Red Hat package) Operating systems & Components / Operating system package or component cri-tools (Red Hat package) Operating systems & Components / Operating system package or component cri-o (Red Hat package) Operating systems & Components / Operating system package or component conmon (Red Hat package) Operating systems & Components / Operating system package or component buildah (Red Hat package) Operating systems & Components / Operating system package or component Red Hat OpenShift Container Platform Client/Desktop applications / Software for system administration
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU97216

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-34156

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to encoding/gob does not properly control consumption of internal resources when calling Decoder.Decode. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Note, this vulnerability is related to #VU66068 (CVE-2024-34156).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): before 4.18.0-372.127.1.rt7.287.el8_6

runc (Red Hat package): before 1.1.6-9.rhaos4.12.el8

openshift4-aws-iso (Red Hat package): before 4.12.0-202410181935.p0.gd2acdd5.assembly.stream.el8

openshift-kuryr (Red Hat package): before 4.12.0-202410181935.p0.g8fd2f8b.assembly.stream.el8

openshift-ansible (Red Hat package): before 4.12.0-202410181935.p0.gd97dd6f.assembly.stream.el8

haproxy (Red Hat package): before 2.2.24-5.rhaos4.12.el8

containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.12.el8

container-selinux (Red Hat package): before 2.228.1-1.rhaos4.12.el8

butane (Red Hat package): before 0.16.0-5.rhaos4.12.el8

skopeo (Red Hat package): before 1.9.4-7.rhaos4.12.el8

podman (Red Hat package): before 4.2.0-12.rhaos4.12.el9

openstack-ironic-python-agent (Red Hat package): before 9.0.1-0.20240913135525.2b2dd8f.el9

openstack-ironic (Red Hat package): before 21.0.1-0.20240913135525.114badc.el9

openshift-clients (Red Hat package): before 4.12.0-202410181935.p0.gd691257.assembly.stream.el8

openshift (Red Hat package): before 4.12.0-202410181935.p0.g1eb8682.assembly.stream.el8

ignition (Red Hat package): before 2.14.0-8.rhaos4.12.el9

cri-tools (Red Hat package): before 1.25.0-5.el8

cri-o (Red Hat package): before 1.25.5-5.rhaos4.12.git53dc492.el9

conmon (Red Hat package): before 2.1.2-8.rhaos4.12.el8

buildah (Red Hat package): before 1.23.4-8.rhaos4.12.el8

Red Hat OpenShift Container Platform: before 4.12.68

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:8694

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU97965

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-44082

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions when handling images. A remote attacker can trick the victim into using a specially crafted image to gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): before 4.18.0-372.127.1.rt7.287.el8_6

runc (Red Hat package): before 1.1.6-9.rhaos4.12.el8

openshift4-aws-iso (Red Hat package): before 4.12.0-202410181935.p0.gd2acdd5.assembly.stream.el8

openshift-kuryr (Red Hat package): before 4.12.0-202410181935.p0.g8fd2f8b.assembly.stream.el8

openshift-ansible (Red Hat package): before 4.12.0-202410181935.p0.gd97dd6f.assembly.stream.el8

haproxy (Red Hat package): before 2.2.24-5.rhaos4.12.el8

containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.12.el8

container-selinux (Red Hat package): before 2.228.1-1.rhaos4.12.el8

butane (Red Hat package): before 0.16.0-5.rhaos4.12.el8

skopeo (Red Hat package): before 1.9.4-7.rhaos4.12.el8

podman (Red Hat package): before 4.2.0-12.rhaos4.12.el9

openstack-ironic-python-agent (Red Hat package): before 9.0.1-0.20240913135525.2b2dd8f.el9

openstack-ironic (Red Hat package): before 21.0.1-0.20240913135525.114badc.el9

openshift-clients (Red Hat package): before 4.12.0-202410181935.p0.gd691257.assembly.stream.el8

openshift (Red Hat package): before 4.12.0-202410181935.p0.g1eb8682.assembly.stream.el8

ignition (Red Hat package): before 2.14.0-8.rhaos4.12.el9

cri-tools (Red Hat package): before 1.25.0-5.el8

cri-o (Red Hat package): before 1.25.5-5.rhaos4.12.git53dc492.el9

conmon (Red Hat package): before 2.1.2-8.rhaos4.12.el8

buildah (Red Hat package): before 1.23.4-8.rhaos4.12.el8

Red Hat OpenShift Container Platform: before 4.12.68

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:8694

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU98141

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-9341

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): before 4.18.0-372.127.1.rt7.287.el8_6

runc (Red Hat package): before 1.1.6-9.rhaos4.12.el8

openshift4-aws-iso (Red Hat package): before 4.12.0-202410181935.p0.gd2acdd5.assembly.stream.el8

openshift-kuryr (Red Hat package): before 4.12.0-202410181935.p0.g8fd2f8b.assembly.stream.el8

openshift-ansible (Red Hat package): before 4.12.0-202410181935.p0.gd97dd6f.assembly.stream.el8

haproxy (Red Hat package): before 2.2.24-5.rhaos4.12.el8

containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.12.el8

container-selinux (Red Hat package): before 2.228.1-1.rhaos4.12.el8

butane (Red Hat package): before 0.16.0-5.rhaos4.12.el8

skopeo (Red Hat package): before 1.9.4-7.rhaos4.12.el8

podman (Red Hat package): before 4.2.0-12.rhaos4.12.el9

openstack-ironic-python-agent (Red Hat package): before 9.0.1-0.20240913135525.2b2dd8f.el9

openstack-ironic (Red Hat package): before 21.0.1-0.20240913135525.114badc.el9

openshift-clients (Red Hat package): before 4.12.0-202410181935.p0.gd691257.assembly.stream.el8

openshift (Red Hat package): before 4.12.0-202410181935.p0.g1eb8682.assembly.stream.el8

ignition (Red Hat package): before 2.14.0-8.rhaos4.12.el9

cri-tools (Red Hat package): before 1.25.0-5.el8

cri-o (Red Hat package): before 1.25.5-5.rhaos4.12.git53dc492.el9

conmon (Red Hat package): before 2.1.2-8.rhaos4.12.el8

buildah (Red Hat package): before 1.23.4-8.rhaos4.12.el8

Red Hat OpenShift Container Platform: before 4.12.68

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:8694

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) UNIX symbolic link following

EUVDB-ID: #VU98817

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-9676

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a symlink following issue when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). A local user can create a symbolic link to an arbitrary file on the system, force the library to read it and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): before 4.18.0-372.127.1.rt7.287.el8_6

runc (Red Hat package): before 1.1.6-9.rhaos4.12.el8

openshift4-aws-iso (Red Hat package): before 4.12.0-202410181935.p0.gd2acdd5.assembly.stream.el8

openshift-kuryr (Red Hat package): before 4.12.0-202410181935.p0.g8fd2f8b.assembly.stream.el8

openshift-ansible (Red Hat package): before 4.12.0-202410181935.p0.gd97dd6f.assembly.stream.el8

haproxy (Red Hat package): before 2.2.24-5.rhaos4.12.el8

containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.12.el8

container-selinux (Red Hat package): before 2.228.1-1.rhaos4.12.el8

butane (Red Hat package): before 0.16.0-5.rhaos4.12.el8

skopeo (Red Hat package): before 1.9.4-7.rhaos4.12.el8

podman (Red Hat package): before 4.2.0-12.rhaos4.12.el9

openstack-ironic-python-agent (Red Hat package): before 9.0.1-0.20240913135525.2b2dd8f.el9

openstack-ironic (Red Hat package): before 21.0.1-0.20240913135525.114badc.el9

openshift-clients (Red Hat package): before 4.12.0-202410181935.p0.gd691257.assembly.stream.el8

openshift (Red Hat package): before 4.12.0-202410181935.p0.g1eb8682.assembly.stream.el8

ignition (Red Hat package): before 2.14.0-8.rhaos4.12.el9

cri-tools (Red Hat package): before 1.25.0-5.el8

cri-o (Red Hat package): before 1.25.5-5.rhaos4.12.git53dc492.el9

conmon (Red Hat package): before 2.1.2-8.rhaos4.12.el8

buildah (Red Hat package): before 1.23.4-8.rhaos4.12.el8

Red Hat OpenShift Container Platform: before 4.12.68

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:8694

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Resource exhaustion

EUVDB-ID: #VU97215

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-34155

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to go/parser does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): before 4.18.0-372.127.1.rt7.287.el8_6

runc (Red Hat package): before 1.1.6-9.rhaos4.12.el8

openshift4-aws-iso (Red Hat package): before 4.12.0-202410181935.p0.gd2acdd5.assembly.stream.el8

openshift-kuryr (Red Hat package): before 4.12.0-202410181935.p0.g8fd2f8b.assembly.stream.el8

openshift-ansible (Red Hat package): before 4.12.0-202410181935.p0.gd97dd6f.assembly.stream.el8

haproxy (Red Hat package): before 2.2.24-5.rhaos4.12.el8

containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.12.el8

container-selinux (Red Hat package): before 2.228.1-1.rhaos4.12.el8

butane (Red Hat package): before 0.16.0-5.rhaos4.12.el8

skopeo (Red Hat package): before 1.9.4-7.rhaos4.12.el8

podman (Red Hat package): before 4.2.0-12.rhaos4.12.el9

openstack-ironic-python-agent (Red Hat package): before 9.0.1-0.20240913135525.2b2dd8f.el9

openstack-ironic (Red Hat package): before 21.0.1-0.20240913135525.114badc.el9

openshift-clients (Red Hat package): before 4.12.0-202410181935.p0.gd691257.assembly.stream.el8

openshift (Red Hat package): before 4.12.0-202410181935.p0.g1eb8682.assembly.stream.el8

ignition (Red Hat package): before 2.14.0-8.rhaos4.12.el9

cri-tools (Red Hat package): before 1.25.0-5.el8

cri-o (Red Hat package): before 1.25.5-5.rhaos4.12.git53dc492.el9

conmon (Red Hat package): before 2.1.2-8.rhaos4.12.el8

buildah (Red Hat package): before 1.23.4-8.rhaos4.12.el8

Red Hat OpenShift Container Platform: before 4.12.68

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:8694

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Resource exhaustion

EUVDB-ID: #VU97217

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-34158

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to go/build/constraint does not properly control consumption of internal resources when calling Parse on a "// +build" build tag line with deeply nested expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

kernel-rt (Red Hat package): before 4.18.0-372.127.1.rt7.287.el8_6

runc (Red Hat package): before 1.1.6-9.rhaos4.12.el8

openshift4-aws-iso (Red Hat package): before 4.12.0-202410181935.p0.gd2acdd5.assembly.stream.el8

openshift-kuryr (Red Hat package): before 4.12.0-202410181935.p0.g8fd2f8b.assembly.stream.el8

openshift-ansible (Red Hat package): before 4.12.0-202410181935.p0.gd97dd6f.assembly.stream.el8

haproxy (Red Hat package): before 2.2.24-5.rhaos4.12.el8

containernetworking-plugins (Red Hat package): before 1.4.0-4.rhaos4.12.el8

container-selinux (Red Hat package): before 2.228.1-1.rhaos4.12.el8

butane (Red Hat package): before 0.16.0-5.rhaos4.12.el8

skopeo (Red Hat package): before 1.9.4-7.rhaos4.12.el8

podman (Red Hat package): before 4.2.0-12.rhaos4.12.el9

openstack-ironic-python-agent (Red Hat package): before 9.0.1-0.20240913135525.2b2dd8f.el9

openstack-ironic (Red Hat package): before 21.0.1-0.20240913135525.114badc.el9

openshift-clients (Red Hat package): before 4.12.0-202410181935.p0.gd691257.assembly.stream.el8

openshift (Red Hat package): before 4.12.0-202410181935.p0.g1eb8682.assembly.stream.el8

ignition (Red Hat package): before 2.14.0-8.rhaos4.12.el9

cri-tools (Red Hat package): before 1.25.0-5.el8

cri-o (Red Hat package): before 1.25.5-5.rhaos4.12.git53dc492.el9

conmon (Red Hat package): before 2.1.2-8.rhaos4.12.el8

buildah (Red Hat package): before 1.23.4-8.rhaos4.12.el8

Red Hat OpenShift Container Platform: before 4.12.68

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2024:8694

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.