Red Hat Product Errata RHSA-2023:6031 - Security Advisory
Issued:
2023-10-23
Updated:
2023-10-23

RHSA-2023:6031 - Security Advisory

Synopsis

Important: Cryostat security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Cryostat 2 on RHEL 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

An update is now available for Cryostat 2 on RHEL 8.

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
  • golang.org/x/net/html: Cross site scripting (CVE-2023-3978)
  • golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
  • golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)
  • golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)
  • golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Cryostat 2 x86_64

Fixes

  • BZ - 2222167 - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
  • BZ - 2228689 - CVE-2023-3978 golang.org/x/net/html: Cross site scripting
  • BZ - 2228743 - CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
  • BZ - 2237777 - CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections
  • BZ - 2237778 - CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake
  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

x86_64

cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:25214921951dbb2ce9eeda23ce3cce3291a789436927beff1317541a68554fa9
cryostat-tech-preview/cryostat-operator-bundle@sha256:8d4dd000a817aec11eef4303c9d17bc92b809f313796ae360d00101a3a04bf86
cryostat-tech-preview/cryostat-reports-rhel8@sha256:5408e8448ab25072a2fc0a018105e52668d239b7449b9abe6c44c57c439c34a1
cryostat-tech-preview/cryostat-rhel8@sha256:90305e17793e3a1275a5611745d1c6c8b056198c3e82283b50df85e747f09193
cryostat-tech-preview/cryostat-rhel8-operator@sha256:15459ee1c5ec24cdfaf2427d6aa3c4fe1fa89d58608217a0dbdae709c99ba877
cryostat-tech-preview/jfr-datasource-rhel8@sha256:a0445fffa148a3cf471adbb288a07d175d7e2950d12c0f99cc56f709f4b60f29

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.