- Issued:
- 2024-05-29
- Updated:
- 2024-05-29
RHSA-2024:2728 - Security Advisory
Synopsis
Important: Red Hat OpenStack Platform 17.1 director Operator container images security update
Type/Severity
Security Advisory: Important
Topic
Updated container images are now available for director Operator for Red Hat OpenStack Platform 17.1 (Wallaby) for RHEL 9.2.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenStack Platform provides the facilities for building, deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud running on commonly available physical hardware.
The Red Hat OpenStack Platform (RHOSP) director Operator adds the ability to install and run a RHOSP cloud within OpenShift Container Platform.
Security Fix(es):
- golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)
- golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
- golang: x/crypto/ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Solution
The container images provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io or registry.access.redhat.com using the 'podman pull' command.
For more information about the images, search the image name in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search
Affected Products
- Red Hat OpenStack 17.1 for RHEL 9 x86_64
Fixes
- BZ - 2253330 - CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
- BZ - 2254210 - CVE-2023-48795 ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
- BZ - 2256449 - [rhosp 17.1][osp-d operator] when creating osbms, it select bmh with inspecting state instead of available
- BZ - 2258578 - [17.1] RedisVirtualFixedIPs not added in tripleo-deploy-config configmap when osconfiggenerator spec.Roles used
- BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
- BZ - 2272054 - [OSPdO 17.1] FencingConfig should be merged instead of replaced
- BZ - 2273947 - [17.1] Ephemeral heat fails resolving rabbitmq without using fqdn
CVEs
- CVE-2022-48554
- CVE-2023-2975
- CVE-2023-3019
- CVE-2023-3255
- CVE-2023-3446
- CVE-2023-3817
- CVE-2023-5088
- CVE-2023-5678
- CVE-2023-6129
- CVE-2023-6237
- CVE-2023-6683
- CVE-2023-7008
- CVE-2023-7104
- CVE-2023-39326
- CVE-2023-42467
- CVE-2023-45288
- CVE-2023-48795
- CVE-2024-0727
- CVE-2024-25062
- CVE-2024-28834
- CVE-2024-28835
x86_64
| rhosp-rhel9/osp-director-agent@sha256:436915008c0b272b20fb5fbf64fc6b4f65ae869ecdd70248066b36a120ab53d0 |
| rhosp-rhel9/osp-director-downloader@sha256:e702392f6f8bde5a93b9f90d94ec3fab1fc905b97fdc495cd1710118206f7c29 |
| rhosp-rhel9/osp-director-operator@sha256:35affb25a019adfaf3c4dc5f3a4da21b30eae321f0138d75be5ab9fc88da0141 |
| rhosp-rhel9/osp-director-operator-bundle@sha256:6747f43ab7ffa76b852b0d0f7b625dcc47a7cbfb3d9af12d8d2efd84feb0822d |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
