Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.1820 OpenShift Container Platform 4.12 low-latency extras security update 28 March 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 4.12 low-latency extras Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2024-24786 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1538 Comment: CVSS (Max): 5.9 CVE-2024-24786 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.12 low-latency extras security update Advisory ID: RHSA-2024:1538 Product: Red Hat OpenShift Container Platform 4.12 Advisory URL: https://access.redhat.com/errata/RHSA-2024:1538 Issue date: 2024-03-27 CVE Names: CVE-2024-24786 ===================================================================== 1. Summary: An update for cnf-tests-container, dpdk-base-container, performance-addon- operator-must-gather NUMA-aware secondary scheduler, numaresources-operator is now available for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.12 - amd64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.12. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2024:1265 Security Fix(es): * golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786) All OpenShift Container Platform users are advised to upgrade to these updated packages and images. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2268046 - CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON 6. Package List: Red Hat OpenShift Container Platform 4.12 12:openshift4/cnf-tests-rhel8@sha256:45ea2c0408804e55d7368805547810532c141ac614a 410ed445624814003fd45_amd64: openshift4/cnf-tests-rhel8@sha256:45ea2c0408804e55d7368805547810532c141ac614a410 ed445624814003fd45_amd64.rpm 12:openshift4/dpdk-base-rhel8@sha256:afa8c39b03e4a1a42d2e0302d6a19d87c7158dab127 fb25e2f2da41d5c96d066_amd64: openshift4/dpdk-base-rhel8@sha256:afa8c39b03e4a1a42d2e0302d6a19d87c7158dab127fb2 5e2f2da41d5c96d066_amd64.rpm 12:openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:1ba2b2da84ea 81478301a559346776ce710bba5a35f44722dcd3dd5f84ee9e4f_amd64: openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:1ba2b2da84ea814 78301a559346776ce710bba5a35f44722dcd3dd5f84ee9e4f_amd64.rpm 12:openshift4/numaresources-operator-bundle@sha256:d50a87f4b8bb430065aa2be56a339 1bc20e94ce5a622d029d3f34316dc0cdeec_amd64: openshift4/numaresources-operator-bundle@sha256:d50a87f4b8bb430065aa2be56a3391bc 20e94ce5a622d029d3f34316dc0cdeec_amd64.rpm 12:openshift4/numaresources-rhel8-operator@sha256:9c0cecdb9c9b7fe7a68d32eecd0340 e91e7591462e9f55dc5c5841b0de7cae16_amd64: openshift4/numaresources-rhel8-operator@sha256:9c0cecdb9c9b7fe7a68d32eecd0340e91 e7591462e9f55dc5c5841b0de7cae16_amd64.rpm 12:openshift4/performance-addon-operator-must-gather-rhel8@sha256:4348aab82a7055 fdb42454b74e9ef8a6b46ddb93c45c8f4a7b38ec24f054ad2f_amd64: openshift4/performance-addon-operator-must-gather-rhel8@sha256:4348aab82a7055fdb 42454b74e9ef8a6b46ddb93c45c8f4a7b38ec24f054ad2f_amd64.rpm 7. References: https://access.redhat.com/security/cve/CVE-2024-24786 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/security/cve/cve-2024-24786 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================