Red Hat Product Errata RHSA-2023:5933 - Security Advisory
Issued:
2023-10-26
Updated:
2023-10-26

RHSA-2023:5933 - Security Advisory

Synopsis

Important: Openshift Secondary Scheduler Operator 1.1.3 security update

Type/Severity

Security Advisory: Important

Topic

Secondary Scheduler Operator for Red Hat OpenShift 1.1.3

An update for secondary-scheduler-operator-bundle-container and secondary-scheduler-operator-container is now available for OSSO-1.1-RHEL-8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Secondary Scheduler Operator for Red Hat OpenShift 1.1.3

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
  • golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
  • golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Secondary Scheduler Operator for Red Hat OpenShift (OSSO) 1 for RHEL 8 x86_64

Fixes

  • BZ - 2222167 - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
  • BZ - 2228743 - CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
  • WRKLDS-878 - New OSSO 1.1.3 release

x86_64

openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle@sha256:51458b1eafc32dd920558e757506e9b71856b5b47744284c961c5430766536b2
openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8@sha256:fb305e8ee14a0cd1f45da0bdd9000a1f9d0a9c4dd20e300004c3cef26997b9b8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.