Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2069 Red Hat Single Sign-On 7.6.7 for OpenShift image security update 5 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Single Sign-On 7.6.7 for OpenShift image Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2024-1597 CVE-2020-28241 CVE-2023-6135 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1686 Comment: CVSS (Max): 9.8 CVE-2024-1597 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Single Sign-On 7.6.7 for OpenShift image security update Advisory ID: RHSA-2024:1686 Product: Middleware Containers for OpenShift Advisory URL: https://access.redhat.com/errata/RHSA-2024:1686 Issue date: 2024-04-04 CVE Names: CVE-2020-28241 CVE-2023-6135 CVE-2024-1597 ===================================================================== 1. Summary: A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Middleware Containers for OpenShift - amd64, s390x, ppc64le 3. Description: The rh-sso-7/sso76-openshift-rhel8 container image has been updated for RHEL-8 based Middleware Containers to address the following security advisory: RHSA-2023:5837 (see References) Users of rh-sso-7/sso76-openshift-rhel8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. Security Fix(es): * pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597) * libmaxminddb: improper initialization in dump_entry_data_list() in maxminddb.c (CVE-2020-28241) * nss: vulnerable to Minerva side-channel information leak (CVE-2023-6135) You can find images updated by this advisory in Red Hat Container Catalog (see References). 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1895379 - CVE-2020-28241 - libmaxminddb: improper initialization in dump_entry_data_list() in maxminddb.c 2249906 - CVE-2023-6135 - nss: vulnerable to Minerva side-channel information leak 2266523 - CVE-2024-1597 - pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE 6. Package List: Middleware Containers for OpenShift 8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:fa9d954957c644 853886943a2bb5e18b178f3595384bdb73b8e5f7e5db0f4932_amd64: rh-sso-7/sso7-rhel8-operator-bundle@sha256:fa9d954957c644853886943a2bb5e18b178f3 595384bdb73b8e5f7e5db0f4932_amd64.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:89f7ae83a1818e771e2 0982a6a4dd2c01ded703c65e90263f961504a3d1c5b37_ppc64le: rh-sso-7/sso76-openshift-rhel8@sha256:89f7ae83a1818e771e20982a6a4dd2c01ded703c65 e90263f961504a3d1c5b37_ppc64le.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:c70d15537cad829f067 e8c6ad57dfe5300fd9ff768d27973354bb061cae7754b_amd64: rh-sso-7/sso76-openshift-rhel8@sha256:c70d15537cad829f067e8c6ad57dfe5300fd9ff768 d27973354bb061cae7754b_amd64.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:efe74faab0436642144 2d5febdc4087aece4506a92c0ba1be42fe627a23fb0cb_s390x: rh-sso-7/sso76-openshift-rhel8@sha256:efe74faab04366421442d5febdc4087aece4506a92 c0ba1be42fe627a23fb0cb_s390x.rpm 7. References: https://access.redhat.com/security/cve/CVE-2020-28241 https://access.redhat.com/security/cve/CVE-2023-6135 https://access.redhat.com/security/cve/CVE-2024-1597 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/errata/RHSA-2023:5837 https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/rh-sso-7/sso76-openshift-rhel8 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================