Red Hat Product Errata RHSA-2023:6085 - Security Advisory
Issued:
2023-10-24
Updated:
2023-10-24

RHSA-2023:6085 - Security Advisory

Synopsis

Important: Red Hat OpenShift distributed tracing security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat Openshift distributed tracing 2.9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
  • golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
  • golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)
  • golang: html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318)
  • golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)
  • golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)
  • golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift distributed tracing 2 x86_64
  • Red Hat OpenShift distributed tracing for Power, little endian 2 ppc64le
  • Red Hat OpenShift distributed tracing for IBM Z and LinuxONE 2 s390x

Fixes

  • BZ - 2222167 - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
  • BZ - 2228743 - CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
  • BZ - 2237773 - CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts
  • BZ - 2237776 - CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts
  • BZ - 2237777 - CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections
  • BZ - 2237778 - CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake
  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

ppc64le

rhosdt/jaeger-agent-rhel8@sha256:b57f6bbb0fd714828d0b9bf4759a04cad8ba98db394dbb79d8a5a9d2c48a8383
rhosdt/jaeger-all-in-one-rhel8@sha256:21de0110a12e568d4fa9a814b1f3fb79b132be34770f795c6f43922a454bba34
rhosdt/jaeger-collector-rhel8@sha256:20dfc6ffe41e4dceb854a2fa99cad5d6a9b48e8bfc51329fed767f47b7cb461f
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:c53876745a6ae8a8ca6ec74d22f8cae148cf4b99e45c3efdcca323b6fbb4ad0e
rhosdt/jaeger-es-rollover-rhel8@sha256:8bfdcdb4432975726865d321037b600260c4df1b3a1811d1c85523d61e91bccc
rhosdt/jaeger-ingester-rhel8@sha256:0d7c0ff5a6c0e645856e1550bfb8acea763d013e4b706b7da972094c26d8a3ba
rhosdt/jaeger-operator-bundle@sha256:1bbbe479ae64cb639bde227e52bb60c55a855fed9109c0ba850e2b1474c8cf5d
rhosdt/jaeger-query-rhel8@sha256:40183936d78c62c1b34807bf21c6fa3570ab5a4c3fdcf2c708b6e2225addf88d
rhosdt/jaeger-rhel8-operator@sha256:e4722e3dbb65c43212e1f86bf5b24779879288a9044d57f2c33aed5baf1b2d33
rhosdt/opentelemetry-collector-rhel8@sha256:97a23c3fdf791b59df6bc6e6f9311599ba2f3900aebe64ce4eaf8f77a7f76336
rhosdt/opentelemetry-operator-bundle@sha256:9de35e845d96684ca3009299dc5034742031f7632f839f877d812a243fd17f75
rhosdt/opentelemetry-rhel8-operator@sha256:5a2e8e06addd84a2c83976a57b84187f8450f45244bd7174b0078d2b2d9e5635
rhosdt/tempo-gateway-opa-rhel8@sha256:f39bf591bff322ca89eddc61dc1b8ed00b018ca0aac39228c3cc33368c9928e6
rhosdt/tempo-gateway-rhel8@sha256:d5e00c9ebe3d8d4b009f1f6d7383d453ce9186e7e6ec1fc4c834b86461e831d9
rhosdt/tempo-operator-bundle@sha256:10394c478c148eaf171f328289b1bbec15b357bd1d5eb473abb31c2cd6cb5643
rhosdt/tempo-query-rhel8@sha256:b5b4d89e126c76fa960a5ac2ba4b63f0e74ab5439cac372e1e0ebe81c1315b3e
rhosdt/tempo-rhel8@sha256:81b5694019779cea93a418e6edf684f54525dcb7da9a4090c7b886184bebe605
rhosdt/tempo-rhel8-operator@sha256:f870fcbe6367921e167ee564e04db11daeaeafce3fa970aa28d8f8239be6391f

s390x

rhosdt/jaeger-agent-rhel8@sha256:075e5a497bd37954221774f3b0e97a86f87bf9a8564a87fa8269b2acb01a5fdf
rhosdt/jaeger-all-in-one-rhel8@sha256:3555c97e1edbc18ecc7ad756dae043a55215bcacd31e70a41c3e444a4b5bac98
rhosdt/jaeger-collector-rhel8@sha256:a3224c5e1b39ca4a33f806a5930dd37304578420f382c43158ee290fffd21533
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:6c1435712a36384a562448ec972ac39378b1e976490146cda1c98b510c76d849
rhosdt/jaeger-es-rollover-rhel8@sha256:fbce2ceb4a0c5231823c931b87726b7a6a5e5f0c87ba93abad09acb11661a675
rhosdt/jaeger-ingester-rhel8@sha256:498a6186790b5e8dc2ff8bc49f5a163a51b19ee36c5030b6ae44fd0c1dbe4139
rhosdt/jaeger-operator-bundle@sha256:1a5c829466a50a4ed1b509fa83b1ffacb5290840e64c1f805e462c533a26c075
rhosdt/jaeger-query-rhel8@sha256:ebc33a6ada6c578e6b113bdfa3e0a9570f15e75cb3e87fa99a3ec23056d58f02
rhosdt/jaeger-rhel8-operator@sha256:17b698d2b2bde4985346b6ffe28c4b0a71e0a6fec4937144aef5db4ca20f60e4
rhosdt/opentelemetry-collector-rhel8@sha256:d68e45ac3dd60f05aab018cba084ff93195bf9175ba642164cb062f7a4b9d71f
rhosdt/opentelemetry-operator-bundle@sha256:9b88c187427bf315cc27690e22425000b87de35b40b04e566152eaf5319043c6
rhosdt/opentelemetry-rhel8-operator@sha256:c940703247b04c520a51bf76f09a29eaa2e30d4e4d40db14f07e0ceba89eefbd
rhosdt/tempo-gateway-opa-rhel8@sha256:fc8a5757270970c2bcd42f659bdde3d9edebd0054cbd01541479c9aa51135cc8
rhosdt/tempo-gateway-rhel8@sha256:4967482a0ef9ef89de4583d7ec9f6666e2334dacb099d5cb556f93f1118f5809
rhosdt/tempo-operator-bundle@sha256:4fb7b99e4156f1c0e67708527ba6336fab647a717e6cad08dac93d191e820c70
rhosdt/tempo-query-rhel8@sha256:307638d85cab7d8502cd6acd45d626a6e26a3c37ab3fb008946e80eee2e4a372
rhosdt/tempo-rhel8@sha256:efb15ac8f44d2ddcc0ac0913131df69f31ebd4aad76c503364b5efb517eabf40
rhosdt/tempo-rhel8-operator@sha256:946413dd5505c92b1eb0c3343fedf7c99ed104cd51933b8ad0dad92c9d85e1f1

x86_64

rhosdt/jaeger-agent-rhel8@sha256:5667bbe8cdf5ef5b93fe2eb51af1b03ac25db50ee7f13a35e97c67968f70d9bc
rhosdt/jaeger-all-in-one-rhel8@sha256:dd221ad03daa551a30a5b3631b9a489ab29147f4d0d380f317ee6e8999c5638f
rhosdt/jaeger-collector-rhel8@sha256:9551931c00cc1052ddb32310153352d56c70a50826c29bcee53fc048c6995399
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:699727f91948e7a870cdae3f8d3cf88cdf1df934ea6c4e5e1a86467b7ea62da3
rhosdt/jaeger-es-rollover-rhel8@sha256:0b0b4bb1d943449bbfe99653eb918583b38e6e7fc9317653acf487bb33715fcf
rhosdt/jaeger-ingester-rhel8@sha256:27b6554e746eae26692298e78d623b3b7dc6ba53330c5e398beacd8d41512732
rhosdt/jaeger-operator-bundle@sha256:f2ebe6b3b913ae5d0df0b985d4c2a93fc0f9dd90e97cdc2d39fdbb40a92c494a
rhosdt/jaeger-query-rhel8@sha256:db25d6492ba18bf18fe8f63c86a9d565938da15c7c639b77d6b9285db0174094
rhosdt/jaeger-rhel8-operator@sha256:c3b11d9f4e98457310bd5a2a782ef02c85dabd0a97e954a5c385f648e168b9ba
rhosdt/opentelemetry-collector-rhel8@sha256:b9f94f8023b1e904e874ff67b5829c3c0e0a44aaeda6e88f8f34fa92d5f8a62c
rhosdt/opentelemetry-operator-bundle@sha256:dcfa33e5ff47f227e6a27d3babd88b02d269e96fc040eb0bc4301edd62dd404b
rhosdt/opentelemetry-rhel8-operator@sha256:b5f01804dc8b8e1b0cc179dc79aff1298fe29c2239d694fedf958adee7e27ec3
rhosdt/tempo-gateway-opa-rhel8@sha256:ff6ebe99d093908235e41a3fc84a13ae4d4b647063d0a48925b5aaa0d3017724
rhosdt/tempo-gateway-rhel8@sha256:ec8e340dc736f5f1d8f0ac4f0b5d767660bbcdc96e2dbc48d8349f20c11e5c46
rhosdt/tempo-operator-bundle@sha256:c54b08652dfdecd90c604e144e08da7eb6908f89cf4b5fe9bcb7844d28a2a002
rhosdt/tempo-query-rhel8@sha256:8c0c9b1534e1c2e4c513b8cef10df8daf9aed0e1798b563667b50c3e8554979b
rhosdt/tempo-rhel8@sha256:e77206dcf8a958c662f816161d9fa942eb7cd1749aa165075805e0add74e4cfb
rhosdt/tempo-rhel8-operator@sha256:4d62e2ee295809b3cfd0f663892226f1c1f5cf4ccb841fb322149b1d4088f135

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.