Red Hat Product Errata RHSA-2024:2088 - Security Advisory
Issued:
2024-04-29
Updated:
2024-04-29

RHSA-2024:2088 - Security Advisory

Synopsis

Important: Red Hat build of Cryostat security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for the Red Hat build of Cryostat 2 on RHEL 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

An update is now available for the Red Hat build of Cryostat 2 on RHEL 8.

Security Fix(es):

  • vert.x: io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
  • vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
  • golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
  • golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
  • golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
  • netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Cryostat 2 x86_64

Fixes

  • BZ - 2260840 - CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx
  • BZ - 2263139 - CVE-2024-1300 io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support
  • BZ - 2268017 - CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
  • BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
  • BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
  • BZ - 2272907 - CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling

aarch64

cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:c6f6accf2843a8d682184c4856ed4a33718598ac93f408a6ae176499afebb98c
cryostat-tech-preview/cryostat-operator-bundle@sha256:a737d333ff2270d1c4c5cdee31395840118f8845f1721215a0ed3339d6c0bfc7
cryostat-tech-preview/cryostat-reports-rhel8@sha256:59d2392e2a211b2abfe7d7f077037a3b7d6a5a6300c993d8dd11ab6a833cdaed
cryostat-tech-preview/cryostat-rhel8@sha256:d8b2fe76c91ac7bfc781cb4b73289dfe88f3add9a9e3d2f452c9e1034d83a2c8
cryostat-tech-preview/cryostat-rhel8-operator@sha256:ecbc8c12eb93ba51d9f20bc53f6d83b730e0fd3a48facc3331daa34bd38fefdf
cryostat-tech-preview/jfr-datasource-rhel8@sha256:9b0de728776daa581545cce4c7ffac8ee35374b65968125dea89f5e896a958a7

x86_64

cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:ce37e72beb00a9eb2653cf6c248abf4d569cf3a708f83a67a0d4639f4893b31e
cryostat-tech-preview/cryostat-operator-bundle@sha256:818f32bf078b473ea3d3e414134d55b196333b179db54371c7a283e20ae720be
cryostat-tech-preview/cryostat-reports-rhel8@sha256:007cd4be45dbe9627b80ae749b78b751fe9846da0659f2a4f73e801a7207c663
cryostat-tech-preview/cryostat-rhel8@sha256:99dab409d9e80a951f39c80f3429fa34ab1ed99f68d41f15fedf63cb33eb5c29
cryostat-tech-preview/cryostat-rhel8-operator@sha256:734054cf4f9b68b186ae2024caf7401321c14c63a70188f771617cc3ae83dc64
cryostat-tech-preview/jfr-datasource-rhel8@sha256:f28d25a215222f8d1e19b59ea479dc22b71380cd8c3ffa99ae562727fbb1b487

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.