Operating System:

[RedHat]

Published:

08 December 2023

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2023.7323 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.7323
       Red Hat build of Cryostat 2.4.0: new RHEL 8 container images
                              8 December 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cryostat 2.4.0
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-34462 CVE-2023-33201 CVE-2023-24815

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2023:7669

Comment: CVSS (Max):  6.5 CVE-2023-34462 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Cryostat 2.4.0: new
                   RHEL 8 container images
Advisory ID:       RHSA-2023:7669
Product:           Cryostat 2 on RHEL 8
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:7669
Issue date:        2023-12-06
CVE Names:         CVE-2023-24815 CVE-2023-33201 CVE-2023-34462
=====================================================================

1. Summary:

New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images are now available

2. Relevant releases/architectures:

Cryostat 2 on RHEL 8 - arm64, amd64 

3. Description:

New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images have been
released, adding a variety of features and bug fixes.

Users of the Red Hat build of Cryostat 2.3.1 on RHEL 8 container images are
advised to upgrade to these updated images, which contain backported patches to
fix these bugs and add these enhancements. Users of these images are also
encouraged to rebuild all container images that depend on these images.

Security Fix(es):

* vertx-web: StaticHandler disclosure of classpath resources on Windows when
mounted on a wildcard route (CVE-2023-24815)

* bouncycastle: potential blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)

* netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462)

You can find images updated by this advisory in Red Hat Container Catalog (see
References).

4. Solution:

Before applying this update, make sure all previously released errata relevant
to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209400 - CVE-2023-24815 - vertx-web: StaticHandler disclosure of classpath
resources on Windows when mounted on a wildcard route
2215465 - CVE-2023-33201 - bouncycastle: potential  blind LDAP injection attack
using a self-signed certificate
2216888 - CVE-2023-34462 - netty: SniHandler 16MB allocation leads to OOM 

6. Package List:

Cryostat 2 on RHEL 8

8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:5
138e1feda1fd225914b9705f3cd88525b783ada5f672c20392abf003bd334c7_amd64:
cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:5138e1feda1fd22591
4b9705f3cd88525b783ada5f672c20392abf003bd334c7_amd64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:7
cbc39b1a3b490b3118980e9fbff1aeba74705e435eaa3d6ba75f39a86a924d4_arm64:
cryostat-tech-preview/cryostat-grafana-dashboard-rhel8@sha256:7cbc39b1a3b490b311
8980e9fbff1aeba74705e435eaa3d6ba75f39a86a924d4_arm64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:90e788b71
753d6a569f5907c8cb1e8f2633a11ed4f9f3df1bcbba6ab9c9110e7_arm64:
cryostat-tech-preview/cryostat-operator-bundle@sha256:90e788b71753d6a569f5907c8c
b1e8f2633a11ed4f9f3df1bcbba6ab9c9110e7_arm64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:ca23f4944
519260549274d79c3cfda72bee9dbad380218cacea9fbc055ed3420_amd64:
cryostat-tech-preview/cryostat-operator-bundle@sha256:ca23f4944519260549274d79c3
cfda72bee9dbad380218cacea9fbc055ed3420_amd64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:1b8dfb006d0
c449350b5683c9ac3576ab0256a9c7c1a068a8486bfb717d0b7ed_amd64:
cryostat-tech-preview/cryostat-reports-rhel8@sha256:1b8dfb006d0c449350b5683c9ac3
576ab0256a9c7c1a068a8486bfb717d0b7ed_amd64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:7130279b46d
9546449494e613dea6c53390c6ee3e2e894d4f89583182e58bc98_arm64:
cryostat-tech-preview/cryostat-reports-rhel8@sha256:7130279b46d9546449494e613dea
6c53390c6ee3e2e894d4f89583182e58bc98_arm64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:1c9fe1c25e
b9f3e7501c8f065f2248e5e46bba17849b2b760198490dc7f94428_amd64:
cryostat-tech-preview/cryostat-rhel8-operator@sha256:1c9fe1c25eb9f3e7501c8f065f2
248e5e46bba17849b2b760198490dc7f94428_amd64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:3f179ccc29
afd98d882dbbb90954cab6b34f23db8110663264d7b3de94b32d36_arm64:
cryostat-tech-preview/cryostat-rhel8-operator@sha256:3f179ccc29afd98d882dbbb9095
4cab6b34f23db8110663264d7b3de94b32d36_arm64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:0e11667c5eeac5bed4f
636f056f248d101d45b4b840efc55e636410f4865bcd2_arm64:
cryostat-tech-preview/cryostat-rhel8@sha256:0e11667c5eeac5bed4f636f056f248d101d4
5b4b840efc55e636410f4865bcd2_arm64.rpm

8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:ab2ecd8c68bfe794bb2
6efab1fdeadb2015efc4a827d4c45cb1b16133288ce4f_amd64:
cryostat-tech-preview/cryostat-rhel8@sha256:ab2ecd8c68bfe794bb26efab1fdeadb2015e
fc4a827d4c45cb1b16133288ce4f_amd64.rpm

8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:492a3d8ed08d3
b385665c93071fa6c3a1e5e4389b6d0780ef0014ffebfa61415_amd64:
cryostat-tech-preview/jfr-datasource-rhel8@sha256:492a3d8ed08d3b385665c93071fa6c
3a1e5e4389b6d0780ef0014ffebfa61415_amd64.rpm

8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:70ee85830ebc5
d89ba87d301d3731cbafa89247a3b2c23667aaa123e710cb90b_arm64:
cryostat-tech-preview/jfr-datasource-rhel8@sha256:70ee85830ebc5d89ba87d301d3731c
bafa89247a3b2c23667aaa123e710cb90b_arm64.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2023-24815
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/cve/CVE-2023-34462
https://access.redhat.com/security/updates/classification/#moderate

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZXJrMMkNZI30y1K9AQjdxw//TQlSRNEttkx5DPVEQpvYvhZhpWMnwT/s
PFIDMq2vbqjYWxkTtvgJdkUijZjM4QEykLU6xTpFkgKfnK9gCrlfVjdQ2FS+Rjfa
s3tYInRygrno/6d1APvRh2RwJmqyRzHQm3v7fL4KTpx+Qnl5YoELwoWXpbm7v40m
DXiENkNCDyfB0xI5V7LBcqb06AVWaG+A3aJELg6RgWCD60Z7RWzltY+vWbi9jpUL
FKp5Im/WOJQUsg5lLa69cJy+4JxaOn+jr+0h9WUGVEbYIZ/k6eQmyXHA12b/sZWZ
fErmJpU9Tue/znjiiAcU5Cql443zRUgOLzNod25TGp/ElTnWDlg4pn1KSYNg+X1Y
2ZhSI5NhYXynfUfyd0ECozmCETXrBZqvt3GdGWDy8xlEfzSYZ0EOKyWE9AEwKDQG
O/dk6YWysRAvzdMBH++CL5qMTSgXUDiCI0nxEjev5Gliya2PdKfBWSrOxWRCeLTp
CpOFrmMQAiz+Xxu+nmeRh4RV0x5wls1B4IdkjO5FgOJJvYDgl8T4Mo/HxPFLp5rL
MZmuN6lWH49hnQhT+S+dZ5sGuxv47ktOwfsNNHNuH4LZ5EDxMV8Rkx9lZZQBop0Q
XNy+vhQ74YWXm6vOcmTZwCgKQhJVnLuBis1TzwXbIvKD5hCZJddkBJnv2lBWcjuB
HwzQFKUmqNw=
=X1sD
-----END PGP SIGNATURE-----