Red Hat Product Errata RHSA-2024:1700 - Security Advisory
Issued:
2024-04-08
Updated:
2024-04-08

RHSA-2024:1700 - Security Advisory

Synopsis

Important: Errata Advisory for Red Hat OpenShift GitOps v1.10.4 security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat OpenShift GitOps v1.10.4. Red Hat
Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Errata Advisory for Red Hat OpenShift GitOps v1.10.4.

Security Fix(es):

  • argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661)
  • argo-cd: Users with `create` but not `override` privileges can perform local sync (CVE-2023-50726)
  • argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)
  • argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)
  • argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow(CVE-2024-21662)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift GitOps 1.10 x86_64
  • Red Hat OpenShift GitOps for IBM Power, little endian 1.10 ppc64le
  • Red Hat OpenShift GitOps for IBM Z and LinuxONE 1.10 s390x
  • Red Hat OpenShift GitOps for ARM 64 1.10 aarch64

Fixes

  • BZ - 2269479 - CVE-2023-50726 Argo CD: Users with `create` but not `override` privileges can perform local sync
  • BZ - 2270170 - CVE-2024-21652 argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
  • BZ - 2270173 - CVE-2024-21661 argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment
  • BZ - 2270182 - CVE-2024-21662 argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
  • BZ - 2272211 - CVE-2024-29893 argo-cd: uncontrolled memory allocation vulnerability

aarch64

openshift-gitops-1/argo-rollouts-rhel8@sha256:54d08845092953eb90563447db6061d0db9b414ae20b2fe88d725d9d0bf9e3e8
openshift-gitops-1/argocd-rhel8@sha256:065bf5f9e34cc22a1fbb6414c595910528bfc1742128a71880fd26118cab9c65
openshift-gitops-1/console-plugin-rhel8@sha256:11ba1b269f55ffe9fde39d911f6ac8d2efc58523b02642178cc4dc05b0530775
openshift-gitops-1/dex-rhel8@sha256:d692fbb1df809ecf83ed074c9b29cd3882590f88dcf8a4baa94553dd48749468
openshift-gitops-1/gitops-rhel8@sha256:2e9b3f4392115dde520fcd4850cbc5ec144b3eff1d979cb0a6b246a601621e33
openshift-gitops-1/gitops-rhel8-operator@sha256:cd2c0d4339fc02879008d31cffeb4af8f5153af59f075416b1dad7cf341d0444
openshift-gitops-1/kam-delivery-rhel8@sha256:3fab5ec91594d33ef9f06c310dc374b5c36a5e976a28f6c99e4c0e6418d9e499
openshift-gitops-1/must-gather-rhel8@sha256:94db2da6653de641ec792944bd27e7e8bc0faa6a1621a9d3f3c2fdbf1e42478c

ppc64le

openshift-gitops-1/argo-rollouts-rhel8@sha256:46cc90ff5d8e3be71bca64d8e9828eed5192a1f5977e56cd30532525f3b6a7e3
openshift-gitops-1/argocd-rhel8@sha256:d1fd491fde2306ac80e048721fdf71cf6f3c07cb622f8c2baf89361490cb48eb
openshift-gitops-1/console-plugin-rhel8@sha256:18bbb5cd8c229f1d42ef2226d3cb790e1174929bdd6c00be150345872873e881
openshift-gitops-1/dex-rhel8@sha256:15170b76ccc5bc579cd83b42203c06c8acc9c21650354b3f2242bb9dfe0991a1
openshift-gitops-1/gitops-rhel8@sha256:3a023dd599791a30efb76f1877ec37302fc00f07370c1dfd0b44c7024deb0af8
openshift-gitops-1/gitops-rhel8-operator@sha256:08b0db82840cec96793eae5997fa38798cfedd5f97ae98087b48c67c48f8a10b
openshift-gitops-1/kam-delivery-rhel8@sha256:5842940f4651c37f2914d606272598b42f9668b189d8dfd69607a8c9ce69ed59
openshift-gitops-1/must-gather-rhel8@sha256:5d394094da851d055c2c44788cc5114e456e1d6f4be01170b20d8f30b5e781e1

s390x

openshift-gitops-1/argo-rollouts-rhel8@sha256:8fb5db95ab144d9615f54de90784eddff20866f0737a0c8e518c9a0cd0d563c4
openshift-gitops-1/argocd-rhel8@sha256:e8a2bd1bc3c635e274263a2c2dfbec269ad3457ff724acf4d3955795c03fd342
openshift-gitops-1/console-plugin-rhel8@sha256:d3ac1434e9ed67672412e8bc34c86d6cdd923df03cd53fd7db276f4a217e977e
openshift-gitops-1/dex-rhel8@sha256:229bcd4a16087125c39dafe272a6f11de4a10992a5e40f86dd70e9e0c559454d
openshift-gitops-1/gitops-rhel8@sha256:301fdc294a4d8fd99b76554117d063a3533007649c3883838fbebe84bcd80df8
openshift-gitops-1/gitops-rhel8-operator@sha256:d71e522331b9f623f2f3d7d7d44203d757494e71fa7a7de714651345638e3ad5
openshift-gitops-1/kam-delivery-rhel8@sha256:2a8b7da525a1095cc82e8be9cae1799694227c05c98f86ef5795d5e140556603
openshift-gitops-1/must-gather-rhel8@sha256:76d564acd106a6a1a7bd7522a7e63d9f77e5e4d9b4a823744328a6e19e9cc06a

x86_64

openshift-gitops-1/argo-rollouts-rhel8@sha256:6a57219d4878ddb4678b2fc2312e728e6656ab11f976798de055855a280c3f32
openshift-gitops-1/argocd-rhel8@sha256:5699abd15b15bab2581fb5068a4492d24ecf6e82825b9538f63145f2c8f6356a
openshift-gitops-1/console-plugin-rhel8@sha256:527f500b8a50923d4ffc1b3b41718f1fec79b72896f3988fbf7fdc2b2fe9396b
openshift-gitops-1/dex-rhel8@sha256:5fa29842159465bffc0318152991562659b9925d904219d341fa1a7ae499b4c4
openshift-gitops-1/gitops-operator-bundle@sha256:caae910cb099a74d24e3eab649231240bbb2064c8dcb059efeec5cd25b78602e
openshift-gitops-1/gitops-rhel8@sha256:b2bab868a601143131434349afbe77f3d31023c1f8d48419c8846e2013c44b26
openshift-gitops-1/gitops-rhel8-operator@sha256:809dfe55f788fed0e4359416b0342d079030235a30148c6c1a5b301e1eae236c
openshift-gitops-1/kam-delivery-rhel8@sha256:edf33e8a2678cfe91b942c0e8e096a0cc1ce2d0e329540c30a45f84a33c8f318
openshift-gitops-1/must-gather-rhel8@sha256:f023473103d2a54daad783d4f479f79f8a2d7db78a5bab1781c19b9e250cf4db

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.