Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4054 Red Hat OpenStack Platform 16.1 (etcd) security update 16 August 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenStack Platform 16.1 (etcd) Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-30631 CVE-2022-21698 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:6066 Comment: CVSS (Max): 7.5 CVE-2022-30631 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenStack Platform 16.1 (etcd) security update Advisory ID: RHSA-2022:6066-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:6066 Issue date: 2022-08-15 CVE Names: CVE-2022-21698 CVE-2022-30631 ===================================================================== 1. Summary: An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 16.1 - ppc64le, x86_64 3. Description: The etcd packages provide a highly available key-value store for shared configuration. Security Fix(es): * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 6. Package List: Red Hat OpenStack Platform 16.1: Source: etcd-3.3.23-10.el8ost.src.rpm ppc64le: etcd-3.3.23-10.el8ost.ppc64le.rpm etcd-debuginfo-3.3.23-10.el8ost.ppc64le.rpm etcd-debugsource-3.3.23-10.el8ost.ppc64le.rpm x86_64: etcd-3.3.23-10.el8ost.x86_64.rpm etcd-debuginfo-3.3.23-10.el8ost.x86_64.rpm etcd-debugsource-3.3.23-10.el8ost.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYvo23NzjgjWX9erEAQhJ9w//RBbgT6wIwGU09lyTf4OIK5aYeDodCA1W FJSxMuBJYrCQx0esUTlqBruCVuqe4YgGjJ/9HgzkRCPbEIXGclYFz6/1FkZCOTmu OvT2km1xSCs+EggHOJQ6fJIhpqF1qll1/W2zAEmd0k4AxBRuWRVGIwqkKw6G9Ep6 Qs7g0/mni1xqIe+sX2Pw2stZCGxb1GZ1x5kXrVfAO/Hp2/6HxEun4jBKuLJ9bneb PHsS3QzBARhUHE7Yd+UQ8awbQFXK5Hm/vx/aF3nTzgDy5fWTMh6K6+N059TE1Vdw HdqjiSleqWpN4cKmu1xFOvjXSfoSgbJ5KmFNQR3LSj+v+sQSyYItdqjHo8u4pO8D rcj1MC30M3IcMBahmEiEZIpaImfERCAM0muGzQON9d1FRiND5WQW8tLBMLRcLXLF 0MA0xFaayNZknGINoVyxoC5LwUcW8wrNkaZEADVtW9N4DwHzGAtlq6pGUNJbMRKk pGX55k4jDNCcpC3fZwDmLDo68Yx6mKE1AGimgn1kp4+CDfy0CqzIzw+ASzv3yFLh LXgBZXURM57xjIGw86GqvKzrvFwogJx4PNLXG7mBbyloC5ftn0LOCtUnT6ufvYnc aqgbgVExdWjP8WKfHB3z1KCkQOrih4/QOZskQRfdqJLjmkjopv4mLjDxE7vhCO+a buMc0LrYxag= =rjcs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYvr45MkNZI30y1K9AQjPpRAAu3YZCj2PwHsZUiv2hgns0UiVJUTOmSdE dCJtUX1nvwoiIsM1cHSRdqgbIur9difWEjBA8Ye2sajjXir+W925mH93IRx4aJO4 90YkUYsu+pFtV8GnVetCALycXrnTkT8qyJ8bxa76MGrjEptd/iq5HafvoiUwIuqL 7YUxdEa/wbnZB2XaaWRK8iN3SR2zzTLGaIAq9tK4E5tXCJT8svanrwfaRv/hhTX2 VqBnCoE00Hel+nKimCDQfeUah73FHZpcmf6ut8Vnm0Qj8r9c9X36UaZYviDNz/y9 HyULQe8Sdo68vUFlumY9yrpgLQnyB+PXmgDT4mNYzV/MzbhhNZexWIFn9sgPdaqR K3qNjMIH7lyVaYyY9+nTBUdsqXRosNwoTgVtXKMHjE5hjMlP4fm+Il8WrPn7SMjX tVTVOXDhDpaZjX7uKDAioSm1Armyoqr8KECqKtglFPb0OW63V23c09V4CYQD4ztc WooiqG5RDwchaDxRNCBhTMr4ZLLZBBLV+Hp2pMzvLoLjlSpQIwb0q29IBFO8VDSK wqHPs0G20Buc//ov1D3Pkq6ypZqWce7K0fzE6gTSdk54ukp9ztwETCtAm/DtBewr Fgqpkk2z9jkxyxsooVCkv9LMUuq5Uksd571OyOcL2EU/IOYz+4oYDmCqxVSpG5G0 x51kBb3fK78= =QJnW -----END PGP SIGNATURE-----