Red Hat Product Errata RHSA-2024:1753 - Security Advisory
Issued:
2024-04-10
Updated:
2024-04-10

RHSA-2024:1753 - Security Advisory

Synopsis

Important: Errata Advisory for Red Hat OpenShift GitOps v1.12.1 security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat OpenShift GitOps v1.12.1. Red Hat
Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Errata Advisory for Red Hat OpenShift GitOps v1.12.1.

Security Fix(es):

  • argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661)
  • argo-cd: Users with `create` but not `override` privileges can perform local sync (CVE-2023-50726)
  • argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)
  • argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)
  • argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift GitOps 1.12 for RHEL 9 x86_64
  • Red Hat OpenShift GitOps 1.12 for RHEL 8 x86_64
  • Red Hat OpenShift GitOps for IBM Power, little endian 1.12 ppc64le
  • Red Hat OpenShift GitOps for IBM Z and LinuxONE 1.12 s390x
  • Red Hat OpenShift GitOps for ARM 64 1.12 for RHEL 9 aarch64
  • Red Hat OpenShift GitOps for ARM 64 1.12 for RHEL 8 aarch64

Fixes

  • BZ - 2269479 - CVE-2023-50726 Argo CD: Users with `create` but not `override` privileges can perform local sync
  • BZ - 2270170 - CVE-2024-21652 argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
  • BZ - 2270173 - CVE-2024-21661 argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment
  • BZ - 2270182 - CVE-2024-21662 argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
  • BZ - 2272211 - CVE-2024-29893 argo-cd: uncontrolled memory allocation vulnerability

aarch64

openshift-gitops-1/argo-rollouts-rhel8@sha256:1996e6120039d1991c60e6c9168d97e901baad12e03ec41ff8df2bce625c5f58
openshift-gitops-1/argocd-rhel8@sha256:7c77e180f4cad6abb7b2a780fbdecc8e82421d60dcfd84a749f58a018631442c
openshift-gitops-1/argocd-rhel9@sha256:3b7205423e557ce1253ea44164443b4831a6fdcdb14256c63a450b0d617308d9
openshift-gitops-1/console-plugin-rhel8@sha256:02df64cedfc32151b4d87a3e5bb8da572c74282039dad0c9099fb453149d3cc9
openshift-gitops-1/dex-rhel8@sha256:a66a27e3e7c0707568bb5dafde4be5b987b60e67b21f8085bba4d62c0bcd9bf5
openshift-gitops-1/gitops-rhel8@sha256:be214deda93eb2f6ba68bdc980274eeb31588fa270803981e681ae5d281bdbce
openshift-gitops-1/gitops-rhel8-operator@sha256:b2ea9040aedb1b3515b130111780cfe1f107486002e72d8a4a4966b3c7908f64
openshift-gitops-1/kam-delivery-rhel8@sha256:7282760e74eeb8245fb729d968618305ef9643d88a42e22c43304936d13b7ac5
openshift-gitops-1/must-gather-rhel8@sha256:2d800d72ff7d42d42c342f8b1ae15f4ac56abeb4c10c1d7a4610fe94bea48a5f

ppc64le

openshift-gitops-1/argo-rollouts-rhel8@sha256:be89b39e95bef95de6adb37200a2fabf776bf402d3379bb72dfe79fc1afe40c2
openshift-gitops-1/argocd-rhel8@sha256:538a00be647226ff940e164e582614bfab1baf4eaab05e660d823c93962d1ab3
openshift-gitops-1/console-plugin-rhel8@sha256:40fd1203c93f5d0ac9bd9c11407eae1925b0776240dfe0216a9b7c90c9feb742
openshift-gitops-1/dex-rhel8@sha256:fc92f6110cb92f022c6173dbee003d9504b010dbcf908c782c18db0eda866b40
openshift-gitops-1/gitops-rhel8@sha256:8cc320e203dc21e39a0099d216282f509b1aeedc4da069e8c2d469c856eb03f1
openshift-gitops-1/gitops-rhel8-operator@sha256:9d43cec5e46f4f7927580781acc163f1a8112b6c5d4e048198275ab63a501f32
openshift-gitops-1/kam-delivery-rhel8@sha256:2af8c694c8f7446a07394b602771d6d4a2ba035ac85f3982226cbbef98dee304
openshift-gitops-1/must-gather-rhel8@sha256:0b75b8988ec088a503144c2f12ff907951555e23d9c747c3511512d533952a71

s390x

openshift-gitops-1/argo-rollouts-rhel8@sha256:365858cdc250f1a144c16c51b362b2f2a95f3325e89bf19da5e3100f63dd8789
openshift-gitops-1/argocd-rhel8@sha256:4bbaa7645f8fdfbf72513813a69aa4128a9206063d444b9b59638fcc2e3193f1
openshift-gitops-1/console-plugin-rhel8@sha256:450dfe0508806d52b93e416257c8a20933fb6c0410e6b06fd894e490c94deca3
openshift-gitops-1/dex-rhel8@sha256:c25ffaf0d086b4016bbde60873f15d01fa41f263b753747ab43ed06754cc9c79
openshift-gitops-1/gitops-rhel8@sha256:4ca7fed5219b710b8458a0af33e1c9b3206e7c943e4eeec238a7ea3ab5141fc3
openshift-gitops-1/gitops-rhel8-operator@sha256:a109ba58dd26f12c88472cab9b9a07b5a0e0ce0821f46841d24b4324ada14610
openshift-gitops-1/kam-delivery-rhel8@sha256:887265df7563fd6974410dd47d268a70c64d0e683b3c6f38478b2ad63e1b1f5c
openshift-gitops-1/must-gather-rhel8@sha256:e71351eb90343778bc4b5ff770ffe71af165e73c19889d63ebb190d75e6eaccb

x86_64

openshift-gitops-1/argo-rollouts-rhel8@sha256:317da841207e7aa35c328bcba773f0fc7f44e7881a9fc6cf199d035bd7c23953
openshift-gitops-1/argocd-rhel8@sha256:0eb3bac4f1b9e56046427bba40cc37e6b5e8376a93fe56b3fa1877fcb8b3d19b
openshift-gitops-1/argocd-rhel9@sha256:9e77cbf2cca74e09b4be037cb95673e510e8a821d2e27de04777bd6d8b4abb62
openshift-gitops-1/console-plugin-rhel8@sha256:a8e77cf16115a70efdd28ad422e09d505f0fc46e3fdae502ccaff273914754ea
openshift-gitops-1/dex-rhel8@sha256:dab5416df5a257ac6125461fde174cb2e33cc94367ca59cce401ebc429d052fb
openshift-gitops-1/gitops-operator-bundle@sha256:c5df7064de09d09b86003872ca032b6def36feaad63a303cc575a8feea704bf7
openshift-gitops-1/gitops-rhel8@sha256:8be733a39f4e86bc505af074d4abb02c8bca665d4a0fc24af078acfcf75d6046
openshift-gitops-1/gitops-rhel8-operator@sha256:52401877747749c1be6f67e4c2d405b4f40a04b1511603b88ad70c1b38a399f4
openshift-gitops-1/kam-delivery-rhel8@sha256:45d3059e06cb6405b046302ba15f7a40b6bd0d006603533fd3546649c9e8ccae
openshift-gitops-1/must-gather-rhel8@sha256:921b6193b7b99b45e3eac203661a18ba65675390cefad3f131913fbf4f2a3fee

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.