RHSA-2024:9485 - Security Advisory

Topic

Control plane Operators for RHOSO 18.0.3 (Feature Release 1).

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Security fix(es):

• Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. (CVE-2024-34156)
• When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. (CVE-2023-45289)
• When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. (CVE-2023-45290)
• Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. (CVE-2024-24783)
• The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. (CVE-2024-24784)
• If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the

html/template package, allowing for subsequent actions to inject unexpected content into templates. (CVE-2024-24785)

• A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. (CVE-2024-24788)
• Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. (CVE-2024-34155)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.

Solution

RHOSO OpenStack Podified Control Plane Operators

Affected Products

• Red Hat OpenStack Services on OpenShift Podifed Operators 1.0 x86_64

Fixes

• BZ - 2268017 - CVE-2023-45290 golang: net/http: golang: mime/multipart: golang: net/textproto: memory exhaustion in Request.ParseMultipartForm
• BZ - 2268018 - CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
• BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
• BZ - 2268021 - CVE-2024-24784 golang: net/mail: comments in display names are incorrectly handled
• BZ - 2268022 - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
• BZ - 2279814 - CVE-2024-24788 golang: net: malformed DNS message can cause infinite loop
• BZ - 2310527 - CVE-2024-34155 go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion
• BZ - 2310528 - CVE-2024-34156 encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion
• OSPRH-10040 - Run Glance pod components at minimum privilege escalation level
• OSPRH-10141 - Run Manila pod components at minimum privilege escalation level
• OSPRH-10288 - Run Neutron pod components at minimum privilege escalation level
• OSPRH-10411 - Nil pointer derefence when using PreProvisioningNetworkData
• OSPRH-1099 - Support ManilaShare deletion
• OSPRH-3467 - Glance edge/dcn support
• OSPRH-6720 - TLS-e not working for glanceAPI Edge instances
• OSPRH-7817 - Tech Debt - As a cloud operator I would like to roll-back to the old 17.1 based control plane if the adoption process fails
• OSPRH-8072 - Adding and then removing an glance API definition from OpenStackControlPlane does not clean up spec.glance.apiOverrides
• OSPRH-8193 - [glance] Modifying osp-secret triggers an almost complete restart of the podified control plane
• OSPRH-8195 - [swift] Modifying osp-secret triggers an almost complete restart of the podified control plane
• OSPRH-8290 - [manila] Modifying osp-secret triggers an almost complete restart of the podified control plane
• OSPRH-9285 - horizon-operator doesn't accept networkAttachment option to assign the additional network for NFS share of glance image upload
• OSPRH-11068 - openstack-operator-controller-manager crashing with nil pointer deference panic when deployment job fails
• OSPRH-9371 - Use of lib-common VerifySecret prevents proper requeue in certain operators
• OSPRH-10639 - Improve how the config will be mounted and consumed in the heat pods
• OSPRH-9991 - ValidateCertSecrets miss return information on which cert secret is missing
• OSPRH-10035 - Telemetry can't make progress, yet operator status is "in progress" and no event nor status update on OpenSTackControlPlane CR
• OSPRH-10195 - Add support for Galera's safe_to_bootstrap to improve bootstrap
• OSPRH-10612 - Can't change the persistent field of MetricStorage
• OSPRH-10725 - octavia-operator displays backtraces on startup
• OSPRH-7610 - Export and scrape RabbitMQ metrics
• OSPRH-105 - Support Cell deletion
• OSPRH-6951 - Auto-detect EDPM image checksum details during baremetal provisioning
• OSPRH-7821 - mariadb-operator may not reconcile galera start properly when it is restarted
• OSPRH-8038 - Setting the memcached replicas to 0 is allowed but breaks the control plane
• OSPRH-8058 - Galera.Spec.AdoptionRedirect is not used by the adoption process
• OSPRH-8069 - Modifying osp-secret triggers an almost complete restart of the podified control plane
• OSPRH-9411 - mariadb operator cannot reconcile state of a pod in pending phase
• OSPRH-9908 - SAST: Provide access to secrets via volume mounts instead of setting `valueFrom.secretKeyRef` in `env`
• OSPRH-8065 - Autoscaling is ignoring prometheusTLS field
• OSPRH-8074 - telemetry-operator panics when using customMonitoringStack and ScrapeInterval isn't set
• OSPRH-8118 - OVNDbCluster: ovsdb-server process is not exited gracefully
• OSPRH-8212 - Improve TERM signal handling in OVNDbCluster startup scripts
• OSPRH-8508 - Support ipv6 for metrics retrieval
• OSPRH-8535 - DataplaneNetwork should be optional
• OSPRH-8582 - telemetry-operator must support empty template
• OSPRH-9455 - Live migration fails with TLS cert error when ctlplane network is not listed as the first network
• OSPRH-4128 - Power Consumptions Metrics using CeilometerIpmi
• OSPRH-10090 - Fix race condition if ring rebalance is needed
• OSPRH-10282 - Allow to match BMH and EDPM node's hostname one by one
• OSPRH-1478 - Cinder edge/dcn support
• OSPRH-2428 - As a cloud operator I would like to adopt my existing 17.1 OpenStack environment where the control plane is running on Baremetal so that I am on a Red Hat supported platform & architecture.
• OSPRH-3466 - Deploy an arbitrary number of glanceAPI
• OSPRH-6501 - Golang update to version 1.21 in all modules and submodules
• OSPRH-8192 - [cinder] Modifying osp-secret triggers an almost complete restart of the podified control plane
• OSPRH-9910 - Node provisioning should only be possible with configured IPAM
• OSPRH-6624 - Enable/disable TLS as day 2 operation
• OSPRH-7324 - Implement Octavia log offloading in the Podified Control Plane
• OSPRH-8078 - RabbitMQ does not disable TLS when previously enabled

CVEs

• CVE-2023-45289
• CVE-2023-45290
• CVE-2024-6119
• CVE-2024-6232
• CVE-2024-24783
• CVE-2024-24784
• CVE-2024-24785
• CVE-2024-24788
• CVE-2024-34155
• CVE-2024-34156
• CVE-2024-45490
• CVE-2024-45491
• CVE-2024-45492

References

• https://access.redhat.com/security/updates/classification/#important