Red Hat Product Errata RHSA-2024:3479 - Security Advisory
Issued:
2024-05-29
Updated:
2024-05-29

RHSA-2024:3479 - Security Advisory

Synopsis

Important: Red Hat OpenStack Platform 16.2 director Operator container images security update

Type/Severity

Security Advisory: Important

Topic

Updated container images are now available for director Operator for Red Hat OpenStack Platform 16.2 (Train) for RHEL 8.4.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenStack Platform provides the facilities for building, deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud running on commonly available physical hardware.

The Red Hat OpenStack Platform (RHOSP) director Operator adds the ability to install and run a RHOSP cloud within OpenShift Container Platform (OCP).

Security Fix(es):

  • golang: net/http/internal: Denial of Service (DoS) via Resource Consumption

via HTTP requests (CVE-2023-39326)

  • golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
  • golang: x/crypto/ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)
  • goproxy: Denial of service (DoS) via unspecified vectors (CVE-2023-37788)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Solution

The container images provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io or registry.access.redhat.com using the 'podman pull' command.

For more information about the images, search the image name in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search

Affected Products

  • Red Hat OpenStack 16.2 x86_64

Fixes

  • BZ - 2224245 - CVE-2023-37788 goproxy: Denial of service (DoS) via unspecified vectors.
  • BZ - 2253330 - CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
  • BZ - 2254210 - CVE-2023-48795 ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
  • BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS

x86_64

rhosp-rhel8/osp-director-agent@sha256:208964ef9bcf8c13927cae361afeb662352c84398ccef242888e98aa2ea0dff2
rhosp-rhel8/osp-director-downloader@sha256:1e024aa8e0fc1890570889c6bab1029c81d1798f7d8a7f81db777358b5d58b93
rhosp-rhel8/osp-director-operator@sha256:9af72e35dd05b041d79c60c031906e7fd56e8e1a6690374f3036320a6bbd3cd2
rhosp-rhel8/osp-director-operator-bundle@sha256:08f5e94b61fe27680d24a73e1d2634903a5ccbb9fdcee6c9fdbbadb10480fc74

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.