RHSA-2024:0989 - Security Advisory

Topic

Red Hat Multicluster GlobalHub 1.0.2 General
Availability release images, which fix bugs, provide security updates, and update container images.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

Description

Red Hat Multicluster GlobalHub 1.0.2 images

This advisory contains the container images for Red Hat Multicluster
GlobalHub, which fix several bugs.

Security fix(es):
CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on
go-git clients
CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path
traversal and RCE on go-git clients

Solution

See the multicluster global hub product documentation for more information:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html-single/multicluster_global_hub/index

Affected Products

• Multicluster Global Hub 1.0 x86_64

Fixes

• BZ - 2258143 - CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
• BZ - 2258165 - CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on go-git clients

CVEs

• CVE-2021-35937
• CVE-2021-35938
• CVE-2021-35939
• CVE-2023-3446
• CVE-2023-3817
• CVE-2023-5678
• CVE-2023-7104
• CVE-2023-27043
• CVE-2023-39615
• CVE-2023-43804
• CVE-2023-45803
• CVE-2023-48795
• CVE-2023-49568
• CVE-2023-49569
• CVE-2024-0553

References

• https://access.redhat.com/security/updates/classification/#critical