- Issued:
- 2024-06-24
- Updated:
- 2024-06-24
RHSA-2024:4057 - Security Advisory
Synopsis
Important: Release of OpenShift Serverless Logic 1.33.0 security update & enhancements
Type/Severity
Security Advisory: Important
Topic
Release of OpenShift Serverless Logic 1.33.0
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
This release includes security, bug fixes, and enhancements.
Security Fix(es):
- keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)
- keycloak: XSS via assertion consumer service URL in SAML POST-binding flow (CVE-2023-6717)
- pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)
- camel-core: Exposure of sensitive data by crafting a malicious EventFactory (CVE-2024-22371)
- commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
- commons-compress: OutOfMemoryError unpacking broken Pack200 file (CVE-2024-26308)
- jose4j: denial of service via specially crafted JWE (CVE-2023-51775)
For more details about the security issues, including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE pages listed in the References section.
Solution
See the Red Hat OpenShift serverless 1.33 documentation at:
https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.33
Affected Products
- Red Hat Openshift Serverless 1 for RHEL 8 x86_64
- Red Hat OpenShift Serverless for IBM Power, little endian 1 for RHEL 8 ppc64le
- Red Hat Openshift Serverless for ARM 1 for RHEL 8 aarch64
Fixes
- BZ - 2253952 - CVE-2023-6717 keycloak: XSS via assertion consumer service URL in SAML POST-binding flow
- BZ - 2262918 - CVE-2024-1249 keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS
- BZ - 2264988 - CVE-2024-25710 commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file
- BZ - 2264989 - CVE-2024-26308 commons-compress: OutOfMemoryError unpacking broken Pack200 file
- BZ - 2266024 - CVE-2024-22371 camel-core: Exposure of sensitive data by crafting a malicious EventFactory
- BZ - 2266523 - CVE-2024-1597 pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE
- BZ - 2266921 - CVE-2023-51775 jose4j: denial of service via specially crafted JWE
CVEs
aarch64
| openshift-serverless-1/logic-data-index-ephemeral-rhel8@sha256:2223754df4f475fc7240df4d833c3ad3d757375ceb2dba359164bd6e8475d267 |
| openshift-serverless-1/logic-data-index-postgresql-rhel8@sha256:d6951064cd3ac48107a93d9d21df106157df0232645bb2d847589fda496b5c9a |
| openshift-serverless-1/logic-jobs-service-ephemeral-rhel8@sha256:2664e7f4c310f561e254f1b07a1f189e8c674556545d27f3e108358f04258979 |
| openshift-serverless-1/logic-jobs-service-postgresql-rhel8@sha256:19c9009a5f3a73553ebbb0a34063a9236635d41f9457de150d12f8b1c9d9a80e |
| openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8@sha256:ab13f02335cf4f22b72d7a477b1de9c3634b2a6d66ddc536192d0061d7f572d5 |
| openshift-serverless-1/logic-operator-bundle@sha256:8309ccf050075499e5052a6af4ecfd53755636663a2ec0f4f0e94e9e6ddc251f |
| openshift-serverless-1/logic-rhel8-operator@sha256:fbff2eb7134a4f3b3aff8ac3768981fcabd11aff983a366948ac75816c26a5b9 |
| openshift-serverless-1/logic-swf-builder-rhel8@sha256:278dc04865d985aba56ff0a6e6a2aa2fdce544459cab642dacb6e8de948a19aa |
| openshift-serverless-1/logic-swf-devmode-rhel8@sha256:f98022ead7f3708016d5815be0d637a22f288af66b6f4a6be906afd7ce7514ca |
ppc64le
| openshift-serverless-1/logic-data-index-ephemeral-rhel8@sha256:1d4c65ddd65b54b387f21bdabf408d180bcc0d835fec714a2c06b643187279de |
| openshift-serverless-1/logic-data-index-postgresql-rhel8@sha256:1050e0b388b09c494bcb2f9bc9d74eb1f12b1ef93218e3920434f7c09b22f9eb |
| openshift-serverless-1/logic-jobs-service-ephemeral-rhel8@sha256:40893aa91a3cbbe99aa0e47032e64e31c176d0b857a3fe36151668f87ed1b346 |
| openshift-serverless-1/logic-jobs-service-postgresql-rhel8@sha256:a7fc943642f5272d25292a25bfd6d2a35ef30e5f9a7419f935988a764741ba57 |
| openshift-serverless-1/logic-operator-bundle@sha256:e405a41d8c91661bae11aadc0a79490e3bc8ef278fc15c2dc2f026b300af1775 |
| openshift-serverless-1/logic-rhel8-operator@sha256:e113674a0ce7abadb084823420724af4f97a7e109cfe921bad907e5d1cd46dca |
| openshift-serverless-1/logic-swf-builder-rhel8@sha256:b4a682402e78ad34e16ab038771f51205a7c117de49bb8f585eb7a0bfa59a586 |
| openshift-serverless-1/logic-swf-devmode-rhel8@sha256:0fa9ee1c7cd198e83187511f24084661cbbaa3f4d6a496e3ead0349a672fc5d0 |
x86_64
| openshift-serverless-1/logic-data-index-ephemeral-rhel8@sha256:90938287390c5d53dd8311699daa4304444e0727fa1aed18e6b4712ef2da8ee4 |
| openshift-serverless-1/logic-data-index-postgresql-rhel8@sha256:f188dc873609058aa3a4911526df0afc1f32c8b986c02646b403932750db5d19 |
| openshift-serverless-1/logic-jobs-service-ephemeral-rhel8@sha256:1b186d5cd499f69de3f9b6053092ce1e634ac4101c8dec5bbae664a0405ec4a3 |
| openshift-serverless-1/logic-jobs-service-postgresql-rhel8@sha256:ed0f3c6feaed07a6f2ce2774fdb2ec96aa4855426396a39350289528794818bc |
| openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8@sha256:32613823ccf9bba0b8bb586b9859c4b68b548953445ee221907bedf1841a1dc9 |
| openshift-serverless-1/logic-operator-bundle@sha256:f4495c801002a4501b6b472a2f709cf6f7e0955b74d407254f4aa00a5c26932c |
| openshift-serverless-1/logic-rhel8-operator@sha256:8fcf378e87a1eb66dd3906edff827ed55e5d991eb6961bf1d101eacfaaaeec40 |
| openshift-serverless-1/logic-swf-builder-rhel8@sha256:35a03270b6f2908fd611f4e1eeb4fdc3d44ac82bb6dc188a03bb134d86def8f4 |
| openshift-serverless-1/logic-swf-devmode-rhel8@sha256:a24194315193f8d7e46f7c2862b88356c2e676287503cc58dbad629f0f196496 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
