Red Hat Product Errata RHSA-2024:0269 - Security Advisory
Issued:
2024-02-28
Updated:
2024-02-28

RHSA-2024:0269 - Security Advisory

Synopsis

Moderate: Run Once Duration Override Operator for Red Hat OpenShift 1.1.0 for RHEL 9

Type/Severity

Security Advisory: Moderate

Topic

An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Run Once Duration Override Operator for Red Hat OpenShift is an optional
operator that makes it possible to override activeDeadlineSecondsOverride
field during pod admission.

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
  • golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)
  • golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Run Once Duration Override Operator 1 for RHEL 9 x86_64

Fixes

  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
  • BZ - 2253193 - CVE-2023-45287 golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.
  • BZ - 2253330 - CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
  • WRKLDS-897 - New RODOO 1.1.0 release
  • OCPBUGS-25123 - [RFE] successful with warnings are shown when fips scan testing is done for RODO

x86_64

run-once-duration-override-operator/run-once-duration-override-operator-bundle@sha256:0cf817432277977ae75e28b95be321ff92600fb57f89b54533272657430d16f2
run-once-duration-override-operator/run-once-duration-override-rhel9@sha256:46a4a497fe26e9b7f288e82aff25a1af02f40baa97174321ea2f413a1aeb326f
run-once-duration-override-operator/run-once-duration-override-rhel9-operator@sha256:4547ff6c810aa975406cf5e510524e657e2465b15344a83bb5e988829526e89a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.