Red Hat Product Errata RHSA-2023:7521 - Security Advisory
Issued:
2023-11-28
Updated:
2023-11-28

RHSA-2023:7521 - Security Advisory

Synopsis

Important: OpenShift Virtualization 4.13.6 RPMs security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Virtualization release 4.13.6 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.13.6 RPMs.

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • 4.13.6 rpms (BZ#2251683)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Container Native Virtualization 4.13 for RHEL 9 x86_64
  • Red Hat Container Native Virtualization 4.13 for RHEL 8 x86_64
  • Red Hat Container Native Virtualization 4.13 for RHEL 7 x86_64
  • Red Hat Container Native Virtualization for ARM 64 4.13 for RHEL 9 aarch64
  • Red Hat Container Native Virtualization for ARM 64 4.13 for RHEL 8 aarch64

Fixes

  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
  • BZ - 2251683 - 4.13.6 rpms

Red Hat Container Native Virtualization 4.13 for RHEL 9

SRPM
kubevirt-4.13.6-1596.el9.src.rpm SHA-256: 81d9d9d437420ad0248990dff3c2a97165cc3a2c78800e008150545af99ab98f
x86_64
kubevirt-virtctl-4.13.6-1596.el9.x86_64.rpm SHA-256: d110390e91a943808779a656a85ba5e58b362b36ef0551306a443fc8cb31aab8
kubevirt-virtctl-redistributable-4.13.6-1596.el9.x86_64.rpm SHA-256: 412adb84e347bdea3c50884b830685e818e203e78217c60f1140f8e2038ed7c4

Red Hat Container Native Virtualization 4.13 for RHEL 8

SRPM
kubevirt-4.13.6-1596.el8.src.rpm SHA-256: 20008263de8bf159b3b5e10b2e7658df6e935e4e1d6c0890bd52b22d1e4b49bf
x86_64
kubevirt-virtctl-4.13.6-1596.el8.x86_64.rpm SHA-256: e851326be38e854ac50f9b74d876f296bd594f218157926d3c2ac55e8d062438
kubevirt-virtctl-redistributable-4.13.6-1596.el8.x86_64.rpm SHA-256: da35dec848f257abd43859b2cfbf79bedca224fe74490578fe64a8a6511c5f0e

Red Hat Container Native Virtualization 4.13 for RHEL 7

SRPM
kubevirt-4.13.6-1596.el7.src.rpm SHA-256: a7c2f1f04cffdaa598276c0481254506923e1eb0ab796f826a949310b08ffa0b
x86_64
kubevirt-virtctl-4.13.6-1596.el7.x86_64.rpm SHA-256: b833b808ae4a047df4a90300642e0d3770a2d2002e05e84f7e3eab173e616c44
kubevirt-virtctl-redistributable-4.13.6-1596.el7.x86_64.rpm SHA-256: 6c7fae4e9096f822e0e8796c1eadf8eb4cbb075503362661dc2fad1f79842ac3

Red Hat Container Native Virtualization for ARM 64 4.13 for RHEL 9

SRPM
kubevirt-4.13.6-1596.el9.src.rpm SHA-256: 81d9d9d437420ad0248990dff3c2a97165cc3a2c78800e008150545af99ab98f
aarch64
kubevirt-virtctl-4.13.6-1596.el9.aarch64.rpm SHA-256: c3fda4a14881e8b99261f874550cb1a7c9398769d2c6bb1a6b2e5b71e55839ca
kubevirt-virtctl-redistributable-4.13.6-1596.el9.aarch64.rpm SHA-256: a0dda74a2529f1794fc7e744d0612c828c410cfe18cc0971fc5ad4cbabee18c1

Red Hat Container Native Virtualization for ARM 64 4.13 for RHEL 8

SRPM
kubevirt-4.13.6-1596.el8.src.rpm SHA-256: 20008263de8bf159b3b5e10b2e7658df6e935e4e1d6c0890bd52b22d1e4b49bf
aarch64
kubevirt-virtctl-4.13.6-1596.el8.aarch64.rpm SHA-256: 711e2651e3b8b8e82d49a17de58480940acaf47cd987748e1730d7fb6b5d63e3
kubevirt-virtctl-redistributable-4.13.6-1596.el8.aarch64.rpm SHA-256: 5cfc702a7f833b8c7d3f8accee8a8988d04147dc40c96225411336cc132433ab

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.