Red Hat Product Errata RHSA-2024:0766 - Security Advisory
Issued:
2024-02-28
Updated:
2024-02-28

RHSA-2024:0766 - Security Advisory

Synopsis

Critical: OpenShift Container Platform 4.15.0 security update

Type/Severity

Security Advisory: Critical

Topic

Red Hat OpenShift Container Platform release 4.15.0 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.15.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

  • opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)
  • opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound

cardinality metrics (CVE-2023-47108)

  • ssh: Prefix truncation attack on Binary Packet Protocol (BPP)

(CVE-2023-48795)

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) (CVE-2023-44487)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

Solution

See the following documentation, which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.15 for RHEL 9 x86_64
  • Red Hat OpenShift Container Platform 4.15 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.15 for RHEL 9 ppc64le
  • Red Hat OpenShift Container Platform for Power 4.15 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.15 for RHEL 9 s390x
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.15 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.15 for RHEL 9 aarch64
  • Red Hat OpenShift Container Platform for ARM 64 4.15 for RHEL 8 aarch64

Fixes

  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
  • BZ - 2245180 - CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp
  • BZ - 2251198 - CVE-2023-47108 opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics
  • BZ - 2254210 - CVE-2023-48795 ssh: Prefix truncation attack on Binary Packet Protocol (BPP)

aarch64

openshift4/ose-aws-efs-csi-driver-container-rhel8@sha256:52f97b60aace7aaaa22b5a790c56261dd2ab2d9396b80499ed3985906167f80f
openshift4/ose-aws-efs-csi-driver-rhel8-operator@sha256:f7d7c1376a89e246f09e9d8beb4b65c14d12dd072638b226b780f4abe1f45d99
openshift4/ose-cloud-event-proxy-rhel9@sha256:3905aee5836e2ce3b9572f5946731329b9b3a31a87e2dd61598ea93053c67918
openshift4/ose-ptp-rhel9-operator@sha256:7b5d1d62057e450200fb37baf3d4f4111e7738bc3029c735e6de5b1b0710fed8

ppc64le

openshift4/ose-cloud-event-proxy-rhel9@sha256:e2f61b3ff01d7c47ad76cd4f46e07b2ef96d4a5f2f74bc53bc19dca9bfc645b9
openshift4/ose-ptp-rhel9-operator@sha256:af40b6ea728a0ab474a53509ba4d944133d1f70710ce99816658ce30ada3f88c

x86_64

openshift4/ingress-node-firewall-operator-bundle@sha256:ad4c55b7cc6cdc8a9ecff84e839b0b475de0b50c20db7926964d069ce8a7ceed
openshift4/kubernetes-nmstate-operator-bundle@sha256:311a354ab15895b2ba12b17046aedcc4cd95f384969a74d6decf45ee36875fb1
openshift4/ose-aws-efs-csi-driver-container-rhel8@sha256:76b89600c2cbe4f15de39caa3343fd7156a9f0422f46e768c3b2c5ce01919497
openshift4/ose-aws-efs-csi-driver-operator-bundle@sha256:b7dcc39a068b4b706b36307b255b3997001bd93f403449496dee27edd19fb4ab
openshift4/ose-aws-efs-csi-driver-rhel8-operator@sha256:0cd3b44d1d6ecb9ab893adae94a3da6a4843882e65b4e1da860a542fe47ed33c
openshift4/ose-cloud-event-proxy-rhel9@sha256:71813d71dbc4223cbf323ac4d9e9416f71991585b441f34e5e63084eca0dfad0
openshift4/ose-cluster-nfd-operator-bundle@sha256:f088af61fabb1c5dd221eb5815a8a0f5dda36805356a642077a0f37efb5cc272
openshift4/ose-clusterresourceoverride-operator-bundle@sha256:94e5af0c9d1caea39256063cdbc089bac09d743a9c0b14d403643c5a55af3d9e
openshift4/ose-gcp-filestore-csi-driver-operator-bundle@sha256:ca0381b535092e1b260a5f4b37b0401eb24f704ed1f33f38ab43d69ed6784e0a
openshift4/ose-local-storage-operator-bundle@sha256:b73ac17534596ae64be84320ea57ff61ff0c2603474f08dd0053cafbf0b0e929
openshift4/ose-metallb-operator-bundle@sha256:91d9f032a45c619dfc3ab1110b331a80b746c5547096a9e8f26e1ab0f0dce6ac
openshift4/ose-ptp-operator-metadata@sha256:b892b627d6bb32c2e550392b655c816ec909e1229d3cc8818a9334ea7e8d69cd
openshift4/ose-ptp-operator-bundle@sha256:b892b627d6bb32c2e550392b655c816ec909e1229d3cc8818a9334ea7e8d69cd
openshift4/ose-ptp-rhel9-operator@sha256:23c0816967bb826b4885b5104b584634a76b81d10d1a623f51605023aa8c7fa6
openshift4/ose-secrets-store-csi-driver-operator-bundle@sha256:ff57e48dbd3e1ea53866839482720c83ec1004ee550546021e02ffeb6ddc03a5
openshift4/ose-sriov-network-operator-bundle@sha256:805228e933414ee055fb3d733c6f270f29ac259b36288a8b3c6181f4a94329cc
openshift4/ose-vertical-pod-autoscaler-operator-metadata@sha256:451dcb081b95927c895f69b784cc4d29c2c0075368acc38c99fa09234d191ad0
openshift4/ose-vertical-pod-autoscaler-operator-bundle@sha256:451dcb081b95927c895f69b784cc4d29c2c0075368acc38c99fa09234d191ad0

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.