Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.7323 Red Hat build of Cryostat 2.4.0: new RHEL 8 container images 8 December 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cryostat 2.4.0 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-34462 CVE-2023-33201 CVE-2023-24815 Original Bulletin: https://access.redhat.com/errata/RHSA-2023:7669 Comment: CVSS (Max): 6.5 CVE-2023-34462 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Cryostat 2.4.0: new RHEL 8 container images Advisory ID: RHSA-2023:7669 Product: Cryostat 2 on RHEL 8 Advisory URL: https://access.redhat.com/errata/RHSA-2023:7669 Issue date: 2023-12-06 CVE Names: CVE-2023-24815 CVE-2023-33201 CVE-2023-34462 ===================================================================== 1. Summary: New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images are now available 2. Relevant releases/architectures: Cryostat 2 on RHEL 8 - arm64, amd64 3. Description: New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes. Users of the Red Hat build of Cryostat 2.3.1 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. Security Fix(es): * vertx-web: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route (CVE-2023-24815) * bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201) * netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462) You can find images updated by this advisory in Red Hat Container Catalog (see References). 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2209400 - CVE-2023-24815 - vertx-web: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route 2215465 - CVE-2023-33201 - bouncycastle: potential blind LDAP injection attack using a self-signed certificate 2216888 - CVE-2023-34462 - netty: SniHandler 16MB allocation leads to OOM 6. Package List: Cryostat 2 on RHEL 8 8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:5 138e1feda1fd225914b9705f3cd88525b783ada5f672c20392abf003bd334c7_amd64: cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:5138e1feda1fd22591 4b9705f3cd88525b783ada5f672c20392abf003bd334c7_amd64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:7 cbc39b1a3b490b3118980e9fbff1aeba74705e435eaa3d6ba75f39a86a924d4_arm64: cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:7cbc39b1a3b490b311 8980e9fbff1aeba74705e435eaa3d6ba75f39a86a924d4_arm64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:90e788b71 753d6a569f5907c8cb1e8f2633a11ed4f9f3df1bcbba6ab9c9110e7_arm64: cryostat-tech-preview/cryostat-operator-bundle@sha256:90e788b71753d6a569f5907c8c b1e8f2633a11ed4f9f3df1bcbba6ab9c9110e7_arm64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:ca23f4944 519260549274d79c3cfda72bee9dbad380218cacea9fbc055ed3420_amd64: cryostat-tech-preview/cryostat-operator-bundle@sha256:ca23f4944519260549274d79c3 cfda72bee9dbad380218cacea9fbc055ed3420_amd64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:1b8dfb006d0 c449350b5683c9ac3576ab0256a9c7c1a068a8486bfb717d0b7ed_amd64: cryostat-tech-preview/cryostat-reports-rhel8@sha256:1b8dfb006d0c449350b5683c9ac3 576ab0256a9c7c1a068a8486bfb717d0b7ed_amd64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:7130279b46d 9546449494e613dea6c53390c6ee3e2e894d4f89583182e58bc98_arm64: cryostat-tech-preview/cryostat-reports-rhel8@sha256:7130279b46d9546449494e613dea 6c53390c6ee3e2e894d4f89583182e58bc98_arm64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:1c9fe1c25e b9f3e7501c8f065f2248e5e46bba17849b2b760198490dc7f94428_amd64: cryostat-tech-preview/cryostat-rhel8-operator@sha256:1c9fe1c25eb9f3e7501c8f065f2 248e5e46bba17849b2b760198490dc7f94428_amd64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:3f179ccc29 afd98d882dbbb90954cab6b34f23db8110663264d7b3de94b32d36_arm64: cryostat-tech-preview/cryostat-rhel8-operator@sha256:3f179ccc29afd98d882dbbb9095 4cab6b34f23db8110663264d7b3de94b32d36_arm64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:0e11667c5eeac5bed4f 636f056f248d101d45b4b840efc55e636410f4865bcd2_arm64: cryostat-tech-preview/cryostat-rhel8@sha256:0e11667c5eeac5bed4f636f056f248d101d4 5b4b840efc55e636410f4865bcd2_arm64.rpm 8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:ab2ecd8c68bfe794bb2 6efab1fdeadb2015efc4a827d4c45cb1b16133288ce4f_amd64: cryostat-tech-preview/cryostat-rhel8@sha256:ab2ecd8c68bfe794bb26efab1fdeadb2015e fc4a827d4c45cb1b16133288ce4f_amd64.rpm 8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:492a3d8ed08d3 b385665c93071fa6c3a1e5e4389b6d0780ef0014ffebfa61415_amd64: cryostat-tech-preview/jfr-datasource-rhel8@sha256:492a3d8ed08d3b385665c93071fa6c 3a1e5e4389b6d0780ef0014ffebfa61415_amd64.rpm 8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:70ee85830ebc5 d89ba87d301d3731cbafa89247a3b2c23667aaa123e710cb90b_arm64: cryostat-tech-preview/jfr-datasource-rhel8@sha256:70ee85830ebc5d89ba87d301d3731c bafa89247a3b2c23667aaa123e710cb90b_arm64.rpm 7. References: https://access.redhat.com/security/cve/CVE-2023-24815 https://access.redhat.com/security/cve/CVE-2023-33201 https://access.redhat.com/security/cve/CVE-2023-34462 https://access.redhat.com/security/updates/classification/#moderate - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZXJrMMkNZI30y1K9AQjdxw//TQlSRNEttkx5DPVEQpvYvhZhpWMnwT/s PFIDMq2vbqjYWxkTtvgJdkUijZjM4QEykLU6xTpFkgKfnK9gCrlfVjdQ2FS+Rjfa s3tYInRygrno/6d1APvRh2RwJmqyRzHQm3v7fL4KTpx+Qnl5YoELwoWXpbm7v40m DXiENkNCDyfB0xI5V7LBcqb06AVWaG+A3aJELg6RgWCD60Z7RWzltY+vWbi9jpUL FKp5Im/WOJQUsg5lLa69cJy+4JxaOn+jr+0h9WUGVEbYIZ/k6eQmyXHA12b/sZWZ fErmJpU9Tue/znjiiAcU5Cql443zRUgOLzNod25TGp/ElTnWDlg4pn1KSYNg+X1Y 2ZhSI5NhYXynfUfyd0ECozmCETXrBZqvt3GdGWDy8xlEfzSYZ0EOKyWE9AEwKDQG O/dk6YWysRAvzdMBH++CL5qMTSgXUDiCI0nxEjev5Gliya2PdKfBWSrOxWRCeLTp CpOFrmMQAiz+Xxu+nmeRh4RV0x5wls1B4IdkjO5FgOJJvYDgl8T4Mo/HxPFLp5rL MZmuN6lWH49hnQhT+S+dZ5sGuxv47ktOwfsNNHNuH4LZ5EDxMV8Rkx9lZZQBop0Q XNy+vhQ74YWXm6vOcmTZwCgKQhJVnLuBis1TzwXbIvKD5hCZJddkBJnv2lBWcjuB HwzQFKUmqNw= =X1sD -----END PGP SIGNATURE-----