Main Vulnerability Database SB2025032942

SB2025032942 - Anolis OS update for container-tools:an8 module

Published: March 29, 2025

Security Bulletin ID SB2025032942

Severity

High

Patch available

YES

Number of vulnerabilities 20

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 20 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2018-25091)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to urllib3 does not remove the authorization HTTP header when following a cross-origin redirect. A remote attacker can gain access to sensitive information.

Note, the vulnerability exists due to incomplete fix for #VU26413 (CVE-2018-20060).

2) Information disclosure (CVE-ID: CVE-2018-20060)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Authorization HTTP header is not removed from the HTTP request during request redirection in "urllib3/util/retry.py". A remote attacker can intercept the request and gain access to sensitive information, passed via Authorization HTTP header.

3) Resource management error (CVE-ID: CVE-2021-33198)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a large exponent to the math/big.Rat SetString or UnmarshalText method. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

4) Improper Certificate Validation (CVE-ID: CVE-2021-34558)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper certificate verification in crypto/tls package in Go when processing X.509 certificates. The application does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

5) Resource management error (CVE-ID: CVE-2022-2879)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to absent limits on the maximum size of file headers within the Reader.Read method in archive/tar. A remote attacker can pass a specially crafted file to the application and perform a denial of service (DoS) attack.

6) Input validation error (CVE-ID: CVE-2022-2880)

The vulnerability allows a remote attacker to perform parameter smuggling attacks.

The vulnerability exists due to incorrect handling of requests forwarded by ReverseProxy in net/http/httputil. A remote attacker can supply specially crafted parameters that cannot be parsed and are rejected by net/http and force the application to include these parameters into the forwarding request. As a result, a remote attacker can smuggle potentially dangerous HTTP parameters into the request.

7) Resource exhaustion (CVE-ID: CVE-2022-41715)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in regexp/syntax when handling regular expressions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

8) Improper Certificate Validation (CVE-ID: CVE-2023-29409)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to verifying certificate chains containing large RSA keys is slow. A remote attacker can cause a client/server to expend significant CPU time verifying signatures.

9) Cross-site scripting (CVE-ID: CVE-2023-39318)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the html/template package when handling HMTL-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

10) Cross-site scripting (CVE-ID: CVE-2023-39319)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists within the html/template package caused by improperly applied rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

11) Input validation error (CVE-ID: CVE-2023-39321)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in crypto/tls when processing post-handshake message on QUIC connections. A remote attacker can send an incomplete post-handshake message for a QUIC connection and perform a denial of service (DoS) attack.

12) Input validation error (CVE-ID: CVE-2023-39322)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

13) Resource exhaustion (CVE-ID: CVE-2023-39326)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP chunked requests. A remote attacker can send specially crafted HTTP requests to the server and consume excessive memory resources.

14) Observable discrepancy (CVE-ID: CVE-2023-45287)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a timing discrepancy when handling RSA based TLS key exchanges. A remote attacker can perform a Marvin attack and gain access to sensitive information.

15) Information disclosure (CVE-ID: CVE-2023-45803)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to urllib3 does not remove the HTTP request body when redirecting HTTP response using status codes 301, 302, or 303, after the request had its method changed from one that could accept a request body (e.g. from POST to GET). A remote attacker can gain access to potentially sensitive information.

16) Inadequate encryption strength (CVE-ID: CVE-2023-48795)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.

The vulnerability was dubbed "Terrapin attack" and it affects both client and server implementations.

17) Improper Privilege Management (CVE-ID: CVE-2024-1753)

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to the affected application allows containers to mount arbitrary locations on the host filesystem into build containers. A remote attacker can escalate privileges.

18) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2024-23650)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper error handling. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.

19) Infinite loop (CVE-ID: CVE-2024-24786)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing data in an invalid JSON format within the protojson.Unmarshal() function. A remote attacker can consume all available system resources and cause denial of service conditions.

20) Resource exhaustion (CVE-ID: CVE-2024-28180)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when decompressing JWE with Decrypt or DecryptMulti. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://anas.openanolis.cn/errata/detail/ANSA-2024:0419

Vulnerable Software

Anolis OS: 8
podman-docker: before 4.9.4-1.0.1
podman-tests: before 4.9.4-1.0.1
podman-remote: before 4.9.4-1.0.1
podman-plugins: before 4.9.4-1.0.1
podman-gvproxy: before 4.9.4-1.0.1
podman-catatonit: before 4.9.4-1.0.1
podman: before 4.9.4-1.0.1
buildah-tests: before 1.33.7-1
buildah: before 1.33.7-1
udica: before 0.2.6-21
python3-podman: before 4.9.0-1
container-selinux: before 2.229.0-2
cockpit-podman: before 84.1-1
toolbox-tests: before 0.0.99.5-2.0.1
toolbox: before 0.0.99.5-2.0.1
slirp4netns: before 1.2.3-1
skopeo-tests: before 1.14.3-2.0.1
skopeo: before 1.14.3-2.0.1
python3-criu: before 3.18-5.0.1
oci-seccomp-bpf-hook: before 1.2.10-1
netavark: before 1.10.3-1.0.1
libslirp-devel: before 4.4.0-2
libslirp: before 4.4.0-2
fuse-overlayfs: before 1.13-1.0.1
crun: before 1.14.3-2
criu-libs: before 3.18-5.0.1
criu-devel: before 3.18-5.0.1
criu: before 3.18-5.0.1
crit: before 3.18-5.0.1
containers-common: before 1-81.0.1
containernetworking-plugins: before 1.4.0-2.0.1
conmon: before 2.1.10-1
aardvark-dns: before 1.10.0-2.0.1
runc: before 1.1.12-1.0.1

SB2025032942 - Anolis OS update for container-tools:an8 module

Breakdown by Severity

Description

Remediation

References

Please verify you're human