Issued:: 2024-11-25
Updated:: 2024-11-25

RHSA-2024:10236 - Security Advisory

Overview
Updated Images

Synopsis

Important: Red Hat OpenShift Dev Spaces 3.17.0 release

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Dev Spaces 3.17 has been released.

All containers have been updated to include feature enhancements, bug fixes and CVE fixes. This includes fixes to Critical CVE-2024-21534.

Following the Red Hat Product Security standards this update is rated as having a security impact of Important. The Common Vulnerability Scoring System (CVSS) base score is available for every fixed CVE in the references section.

Description

Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development.

The 3.17 release is based on Eclipse Che 7.92 and uses the DevWorkspace engine to provide support for workspaces based on devfile v2.1 and v2.2.

This release provides fixes for CVE-2024-21534, CVE-2024-29415, CVE-2024-34156, CVE-2024-45296, CVE-2024-45813, CVE-2024-47875, and CVE-2024-48949. CVE-2024-29415 addresses an incomplete fix for CVE-2023-42282.

Users still using the v1 standard should migrate as soon as possible.

https://devfile.io/docs/2.2.0/migrating-to-devfile-v2

Dev Spaces releases support the latest two OpenShift 4 EUS releases. Users are expected to update to newer OpenShift releases in order to continue to get Dev Spaces updates.

https://access.redhat.com/support/policy/updates/openshift#crw

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenShift Dev Spaces 3 x86_64

Fixes

BZ - 2265161 - CVE-2023-42282 nodejs-ip: arbitrary code execution via the isPublic() function
BZ - 2284554 - CVE-2024-29415 node-ip: Incomplete fix for CVE-2023-42282
BZ - 2310528 - CVE-2024-34156 encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion
BZ - 2310908 - CVE-2024-45296 path-to-regexp: Backtracking regular expressions cause ReDoS
BZ - 2313383 - CVE-2024-45813 find-my-way: ReDoS vulnerability in multiparametric routes
BZ - 2317724 - CVE-2024-48949 elliptic: Missing Validation in Elliptic's EDDSA Signature Verification
BZ - 2317968 - CVE-2024-21534 jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization
BZ - 2318052 - CVE-2024-47875 dompurify: nesting-based mutation XSS vulnerability
CRW-7528 - DS 3.17 Overall Epic

CVEs

CVE-2018-12699
CVE-2019-12900
CVE-2020-26154
CVE-2021-3903
CVE-2021-43618
CVE-2021-46848
CVE-2022-1271
CVE-2022-36227
CVE-2022-48554
CVE-2022-48773
CVE-2022-48936
CVE-2023-2602
CVE-2023-2603
CVE-2023-7104
CVE-2023-27349
CVE-2023-29491
CVE-2023-37920
CVE-2023-38709
CVE-2023-42282
CVE-2023-44431
CVE-2023-45866
CVE-2023-47038
CVE-2023-50229
CVE-2023-50230
CVE-2023-51580
CVE-2023-51589
CVE-2023-51592
CVE-2023-51594
CVE-2023-51596
CVE-2023-52492
CVE-2024-2236
CVE-2024-2398
CVE-2024-2511
CVE-2024-3596
CVE-2024-3651
CVE-2024-3727
CVE-2024-4603
CVE-2024-4741
CVE-2024-5535
CVE-2024-6104
CVE-2024-6232
CVE-2024-6655
CVE-2024-7006
CVE-2024-9341
CVE-2024-9676
CVE-2024-21534
CVE-2024-24788
CVE-2024-24791
CVE-2024-24795
CVE-2024-24857
CVE-2024-25062
CVE-2024-26851
CVE-2024-26924
CVE-2024-26976
CVE-2024-27017
CVE-2024-27062
CVE-2024-27856
CVE-2024-28834
CVE-2024-28835
CVE-2024-29415
CVE-2024-32002
CVE-2024-32004
CVE-2024-32020
CVE-2024-32021
CVE-2024-32465
CVE-2024-34155
CVE-2024-34156
CVE-2024-34158
CVE-2024-34397
CVE-2024-35839
CVE-2024-35898
CVE-2024-35939
CVE-2024-38540
CVE-2024-38541
CVE-2024-38586
CVE-2024-38608
CVE-2024-39331
CVE-2024-39503
CVE-2024-40866
CVE-2024-40924
CVE-2024-40961
CVE-2024-40983
CVE-2024-40984
CVE-2024-41009
CVE-2024-41042
CVE-2024-41066
CVE-2024-41092
CVE-2024-41093
CVE-2024-42070
CVE-2024-42079
CVE-2024-42244
CVE-2024-42283
CVE-2024-42284
CVE-2024-42292
CVE-2024-42301
CVE-2024-42472
CVE-2024-43854
CVE-2024-43880
CVE-2024-43889
CVE-2024-43892
CVE-2024-44082
CVE-2024-44185
CVE-2024-44187
CVE-2024-44244
CVE-2024-44935
CVE-2024-44989
CVE-2024-44990
CVE-2024-45018
CVE-2024-45296
CVE-2024-45813
CVE-2024-46679
CVE-2024-46824
CVE-2024-46826
CVE-2024-46858
CVE-2024-47175
CVE-2024-47668
CVE-2024-47875
CVE-2024-48949
CVE-2024-50602
CVE-2024-52530
CVE-2024-52532
CVE-2024-54534

References

https://access.redhat.com/security/updates/classification/#important

ppc64le

devspaces/code-rhel8@sha256:7d8ade3bd7749389768efe998e8abb926e711863709366b4cb272f9139426cb3

devspaces/configbump-rhel8@sha256:b99750c52fed441b2faf995a7eb3bfe83aad853d9e9ae26f2556f5efd2fce662

devspaces/dashboard-rhel8@sha256:20428bc20147f9c7f0f99aa5f2f8e711e36e82a080df2701e7c7cdd247e839ad

devspaces/devspaces-operator-bundle@sha256:4918d11864a079f3c6bd3f5e39326c34eec2a528f64a4fe3b5f35d99507dbfe2

devspaces/devspaces-rhel8-operator@sha256:25c5bbe58c746a3d4d41b90f04026728c001ab8e3dddf61523d0830b0097455b

devspaces/imagepuller-rhel8@sha256:338d93fda80d0c86e58807f9f0909d8b1ddbc8693076619b3a32ea23c0142cff

devspaces/machineexec-rhel8@sha256:602db7874132ce8e37e4399a38e9e7806123071c33a13c2efacdfe5465f41147

devspaces/pluginregistry-rhel8@sha256:a1c52cd0e68cbb12d3b80445631857fb95b7400db8c8ad092bda99493c56e913

devspaces/server-rhel8@sha256:81e1327cdcd4af6c801db90e4ef998f6b4701a5b3a73464ae2448bc23c83e334

devspaces/traefik-rhel8@sha256:fbf8735d035e53c538d9b6eab5a875d4c0a634c7b5c61010caebb8aa2622ef3c

devspaces/udi-rhel8@sha256:68fb1404dc083c8726843c1bdda0e9ee7fd14023eaf2637e3efe9d7356f426ca

s390x

devspaces/code-rhel8@sha256:1661e168db3b442b9de9023fb55261c1549fd034f42ab0ab0b04ad4ec7394ec0

devspaces/configbump-rhel8@sha256:fc0165f7dc4e44da73898ff0db8f3f174d1c04f3b7c068398d88b9ce5a0289b6

devspaces/dashboard-rhel8@sha256:adddc36181deb1e31265d234ae6c79da78960dd153e086b0a7f7a0284243676c

devspaces/devspaces-operator-bundle@sha256:c667834c64b1b67d41637f7fa854c1eb105cef5276113e4b848f1f4c206d20e8

devspaces/devspaces-rhel8-operator@sha256:863213cda25827e6fc1d9167740587ccfcacf2dd0042e810d87193be8be5ae00

devspaces/imagepuller-rhel8@sha256:a983f5c523406a811ebcefbf855e378dfb99356b529a5f0f6027b852a147ed53

devspaces/machineexec-rhel8@sha256:d3b118c414b28deef0d2bb1305208b7e3727f3431f49f1dd1e5902468281bc65

devspaces/pluginregistry-rhel8@sha256:be18a2a7149ccbf20657598d109858e24a1c950fc2e883e99eaa09d8326ba440

devspaces/server-rhel8@sha256:86485aeaef5e5f881fe04d622e00c18a7a548d83d56769435cead5e5765ec031

devspaces/traefik-rhel8@sha256:d613c45bc0586d7c5c9ca48742ff647111b43d842f15278ec83b86cb84246c67

devspaces/udi-rhel8@sha256:538541d44c663c8dc78353ab6bf6f64d0ee124ec7ba7fbbe767ebe221f86a5fc

x86_64

devspaces/code-rhel8@sha256:2a4deccbc7b8c5bc53f2fde315ccd93e7f2c2022e9288f7a93ed642feb808dc1

devspaces/configbump-rhel8@sha256:175d0c7a1c89f6405528dbe16e7d5fe3efa2475b93182c7d7c0a5e0e15b3d292

devspaces/dashboard-rhel8@sha256:95302249f869bd80308548a63683bb892ca40e876561fea204169f405bb220e7

devspaces/devspaces-operator-bundle@sha256:c881a85b40057e057c5346fca66c787d4fe588ccb34893b88e40fcdf8747ace1

devspaces/devspaces-rhel8-operator@sha256:4a616290ed8f7ff7dc4ad5ba5c4768e01a1f235bd367e255a873d7dde896d90e

devspaces/idea-rhel8@sha256:d256172baee177866046ea38a6b4e1a59c910b602bcdfbcba335f4db3e96fac0

devspaces/imagepuller-rhel8@sha256:135de7c6261a9a7bb2c494c01d23c991f20985103feb00691f7c7a0ee55a0e56

devspaces/machineexec-rhel8@sha256:d892d008651e973127665947e9ece200bca3294dbc147f4a02c09302dd18da91

devspaces/pluginregistry-rhel8@sha256:d49599eac56dced469441e255c7f8dfdeb5a119049e914b17a3aa386cbf6d384

devspaces/server-rhel8@sha256:6b6a0ede706aa650e40ff3592cb8f045c91cbdcbe06b6e0b3b71b617151391af

devspaces/traefik-rhel8@sha256:00da91880194659c5b62835590cd31d7c80b8a9e5ce7575a7dc4e3f6741b8a81

devspaces/udi-rhel8@sha256:77a5001120df3d8890af1e3cfbb891767810b977c9d2a111c781564e992aea65

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation