Operating System:

[RedHat]

Published:

28 March 2024

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2024.1821 

===========================================================================
             AUSCERT External Security Bulletin Redistribution             
                                                                           
                               ESB-2024.1821                               
  OpenShift Container Platform 4.13.38 low-latency extras security update  
                               28 March 2024                               
                                                                           
===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.13.38 low-latency extras 
Publisher:         Red Hat                                                 
Operating System:  Red Hat                                                 
Resolution:        Patch/Upgrade                                           
CVE Names:         CVE-2024-24786                                          

Original Bulletin:
   https://access.redhat.com/errata/RHSA-2024:1537

Comment: CVSS (Max):  5.9 CVE-2024-24786 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat                                              
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.38
                   low-latency extras security update
Advisory ID:       RHSA-2024:1537
Product:           Red Hat OpenShift Container Platform 4.13
Advisory URL:      https://access.redhat.com/errata/RHSA-2024:1537
Issue date:        2024-03-27
CVE Names:         CVE-2024-24786
=====================================================================

1. Summary:

An update for cnf-tests-container, dpdk-base-container, performance-addon-
operator-must-gather NUMA-aware secondary scheduler, numaresources-operator  is
now available for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.13 - amd64 

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes
application platform solution designed for on-premise or private cloud
deployments.

This advisory contains the extra low-latency container images for Red Hat
OpenShift Container Platform 4.13. See the following advisory for the container
images for this release:

https://access.redhat.com/errata/RHSA-2024:1454

Security Fix(es):

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in
protojson.Unmarshal when unmarshaling certain forms of invalid JSON
(CVE-2024-24786)

All OpenShift Container Platform users are advised to upgrade to these updated
packages and images.

4. Solution:

Before applying this update, make sure all previously released errata relevant
to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2268046 - CVE-2024-24786 - golang-protobuf: encoding/protojson,
internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling
certain forms of invalid JSON

6. Package List:

Red Hat OpenShift Container Platform 4.13

13:openshift4/cnf-tests-rhel8@sha256:1557755b7221f41738b6b607af8412d6fb541ceb08f
d48f82ad5580d8daafc9f_amd64:
openshift4/cnf-tests-rhel8@sha256:1557755b7221f41738b6b607af8412d6fb541ceb08fd48
f82ad5580d8daafc9f_amd64.rpm

13:openshift4/dpdk-base-rhel8@sha256:0e6bdd39419572fba8f89c910b9313dc74b96dc0ea7
d4efa44f9b69be0f33e28_amd64:
openshift4/dpdk-base-rhel8@sha256:0e6bdd39419572fba8f89c910b9313dc74b96dc0ea7d4e
fa44f9b69be0f33e28_amd64.rpm

13:openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:ac0874d92b32
04756ddaa4f5b6e4a4d66ecc9e807c5deb0b028d744424d00eb6_amd64:
openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:ac0874d92b32047
56ddaa4f5b6e4a4d66ecc9e807c5deb0b028d744424d00eb6_amd64.rpm

13:openshift4/numaresources-operator-bundle@sha256:7f5ddc79b60a283066285fb5fed5e
91b9a7b6d50d4c16095b4ee984456352a06_amd64:
openshift4/numaresources-operator-bundle@sha256:7f5ddc79b60a283066285fb5fed5e91b
9a7b6d50d4c16095b4ee984456352a06_amd64.rpm

13:openshift4/numaresources-rhel8-operator@sha256:61046b76f996adb139cdc44cbb142b
6999bf8503229a65d18227c2ebdcac18fc_amd64:
openshift4/numaresources-rhel8-operator@sha256:61046b76f996adb139cdc44cbb142b699
9bf8503229a65d18227c2ebdcac18fc_amd64.rpm

13:openshift4/performance-addon-operator-must-gather-rhel8@sha256:7c62a226b3098c
724402201e0fc251d7abbbfc726f18d556ad97d58684eb6373_amd64:
openshift4/performance-addon-operator-must-gather-rhel8@sha256:7c62a226b3098c724
402201e0fc251d7abbbfc726f18d556ad97d58684eb6373_amd64.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2024-24786
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/security/cve/cve-2024-24786

- --------------------------END INCLUDED TEXT----------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================