Operating System:

[RedHat]

Published:

28 March 2024

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2024.1820 

===========================================================================
             AUSCERT External Security Bulletin Redistribution             
                                                                           
                               ESB-2024.1820                               
   OpenShift Container Platform 4.12 low-latency extras security update    
                               28 March 2024                               
                                                                           
===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.12 low-latency extras    
Publisher:         Red Hat                                                 
Operating System:  Red Hat                                                 
Resolution:        Patch/Upgrade                                           
CVE Names:         CVE-2024-24786                                          

Original Bulletin:
   https://access.redhat.com/errata/RHSA-2024:1538

Comment: CVSS (Max):  5.9 CVE-2024-24786 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat                                              
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12
                   low-latency extras security update
Advisory ID:       RHSA-2024:1538
Product:           Red Hat OpenShift Container Platform 4.12
Advisory URL:      https://access.redhat.com/errata/RHSA-2024:1538
Issue date:        2024-03-27
CVE Names:         CVE-2024-24786
=====================================================================

1. Summary:

An update for cnf-tests-container, dpdk-base-container, performance-addon-
operator-must-gather NUMA-aware secondary scheduler, numaresources-operator is
now available for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.12 - amd64 

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes
application platform solution designed for on-premise or private cloud
deployments.

This advisory contains the extra low-latency container images for Red Hat
OpenShift Container Platform 4.12. See the following advisory for the container
images for this release:

https://access.redhat.com/errata/RHSA-2024:1265

Security Fix(es):

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in
protojson.Unmarshal when unmarshaling certain forms of invalid JSON
(CVE-2024-24786)

All OpenShift Container Platform users are advised to upgrade to these updated
packages and images.

4. Solution:

Before applying this update, make sure all previously released errata relevant
to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2268046 - CVE-2024-24786 - golang-protobuf: encoding/protojson,
internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling
certain forms of invalid JSON

6. Package List:

Red Hat OpenShift Container Platform 4.12

12:openshift4/cnf-tests-rhel8@sha256:45ea2c0408804e55d7368805547810532c141ac614a
410ed445624814003fd45_amd64:
openshift4/cnf-tests-rhel8@sha256:45ea2c0408804e55d7368805547810532c141ac614a410
ed445624814003fd45_amd64.rpm

12:openshift4/dpdk-base-rhel8@sha256:afa8c39b03e4a1a42d2e0302d6a19d87c7158dab127
fb25e2f2da41d5c96d066_amd64:
openshift4/dpdk-base-rhel8@sha256:afa8c39b03e4a1a42d2e0302d6a19d87c7158dab127fb2
5e2f2da41d5c96d066_amd64.rpm

12:openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:1ba2b2da84ea
81478301a559346776ce710bba5a35f44722dcd3dd5f84ee9e4f_amd64:
openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:1ba2b2da84ea814
78301a559346776ce710bba5a35f44722dcd3dd5f84ee9e4f_amd64.rpm

12:openshift4/numaresources-operator-bundle@sha256:d50a87f4b8bb430065aa2be56a339
1bc20e94ce5a622d029d3f34316dc0cdeec_amd64:
openshift4/numaresources-operator-bundle@sha256:d50a87f4b8bb430065aa2be56a3391bc
20e94ce5a622d029d3f34316dc0cdeec_amd64.rpm

12:openshift4/numaresources-rhel8-operator@sha256:9c0cecdb9c9b7fe7a68d32eecd0340
e91e7591462e9f55dc5c5841b0de7cae16_amd64:
openshift4/numaresources-rhel8-operator@sha256:9c0cecdb9c9b7fe7a68d32eecd0340e91
e7591462e9f55dc5c5841b0de7cae16_amd64.rpm

12:openshift4/performance-addon-operator-must-gather-rhel8@sha256:4348aab82a7055
fdb42454b74e9ef8a6b46ddb93c45c8f4a7b38ec24f054ad2f_amd64:
openshift4/performance-addon-operator-must-gather-rhel8@sha256:4348aab82a7055fdb
42454b74e9ef8a6b46ddb93c45c8f4a7b38ec24f054ad2f_amd64.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2024-24786
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/security/cve/cve-2024-24786

- --------------------------END INCLUDED TEXT----------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================