Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2093 Errata Advisory for Red Hat OpenShift GitOps v1.11.3 security update 9 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift GitOps v1.11.3 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-50726 CVE-2024-21652 CVE-2024-21661 CVE-2024-21662 CVE-2024-29893 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1697 Comment: CVSS (Max): 7.5 CVE-2024-21661 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Important: Errata Advisory for Red Hat OpenShift GitOps v1.11.3 security update Advisory ID: RHSA-2024:1697 Product: Red Hat OpenShift GitOps 1.11 Advisory URL: https://access.redhat.com/errata/RHSA-2024:1697 Issue date: 2024-04-08 CVE Names: CVE-2023-50726 CVE-2024-21652 CVE-2024-21661 CVE-2024-21662 CVE-2024-29893 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift GitOps v1.11.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift GitOps 1.11 - amd64, arm64, ppc64le, s390x 3. Description: Errata Advisory for Red Hat OpenShift GitOps v1.11.3. Security Fix(es): * argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661) * argo-cd: Users with `create` but not `override` privileges can perform local sync (CVE-2023-50726) * argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652) * argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893) * argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2269479 - CVE-2023-50726 - Argo CD: Users with `create` but not `override` privileges can perform local sync 2270170 - CVE-2024-21652 - argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss 2270173 - CVE-2024-21661 - argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment 2270182 - CVE-2024-21662 - argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow 2272211 - CVE-2024-29893 - argo-cd: uncontrolled memory allocation vulnerability 6. Package List: Red Hat OpenShift GitOps 1.11 11:openshift-gitops-1/argo-rollouts-rhel8@sha256:6127403dba805efc36d574037cd42a2 8d6b9890ee90695f8bf55d9050a2cf484_s390x: openshift-gitops-1/argo-rollouts-rhel8@sha256:6127403dba805efc36d574037cd42a28d6 b9890ee90695f8bf55d9050a2cf484_s390x.rpm 11:openshift-gitops-1/argo-rollouts-rhel8@sha256:b9b41d7e3bf03fd203164e1ec9bc894 e824decee530a73a3ac64ebd023f0df70_ppc64le: openshift-gitops-1/argo-rollouts-rhel8@sha256:b9b41d7e3bf03fd203164e1ec9bc894e82 4decee530a73a3ac64ebd023f0df70_ppc64le.rpm 11:openshift-gitops-1/argo-rollouts-rhel8@sha256:dfb51f001b4ff4b926e5651e66c71fd c3fd5ffa56744b401c648ba1e6a04b461_arm64: openshift-gitops-1/argo-rollouts-rhel8@sha256:dfb51f001b4ff4b926e5651e66c71fdc3f d5ffa56744b401c648ba1e6a04b461_arm64.rpm 11:openshift-gitops-1/argo-rollouts-rhel8@sha256:f90e8392c932d527fd720a016341484 be74a8934cea153322ad76e192b995d9e_amd64: openshift-gitops-1/argo-rollouts-rhel8@sha256:f90e8392c932d527fd720a016341484be7 4a8934cea153322ad76e192b995d9e_amd64.rpm 11:openshift-gitops-1/argocd-rhel8@sha256:6a130b07e68b8e30d78d8d6db6f85b718583fc 3ceb35827834a46bd07cee1727_amd64: openshift-gitops-1/argocd-rhel8@sha256:6a130b07e68b8e30d78d8d6db6f85b718583fc3ce b35827834a46bd07cee1727_amd64.rpm 11:openshift-gitops-1/argocd-rhel8@sha256:c8bc4553ee07fe306549c3a915bc7822ac2fcc c1895be00d91a2d5113a0f9231_s390x: openshift-gitops-1/argocd-rhel8@sha256:c8bc4553ee07fe306549c3a915bc7822ac2fccc18 95be00d91a2d5113a0f9231_s390x.rpm 11:openshift-gitops-1/argocd-rhel8@sha256:fb2afdfdfe8744e2840695b6f4f77f257d7c6f 554cb02c9ca6c277bc2d2772be_ppc64le: openshift-gitops-1/argocd-rhel8@sha256:fb2afdfdfe8744e2840695b6f4f77f257d7c6f554 cb02c9ca6c277bc2d2772be_ppc64le.rpm 11:openshift-gitops-1/argocd-rhel8@sha256:fbd1daea3cfa54e43089f97b6ce1887e5f4df0 27bde9d20ab7e32d1e221b757d_arm64: openshift-gitops-1/argocd-rhel8@sha256:fbd1daea3cfa54e43089f97b6ce1887e5f4df027b de9d20ab7e32d1e221b757d_arm64.rpm 11:openshift-gitops-1/console-plugin-rhel8@sha256:339617f04389e835b127ed280aeda5 f43f6817988c9ebe0ecd0f609b149c3b82_s390x: openshift-gitops-1/console-plugin-rhel8@sha256:339617f04389e835b127ed280aeda5f43 f6817988c9ebe0ecd0f609b149c3b82_s390x.rpm 11:openshift-gitops-1/console-plugin-rhel8@sha256:9f9b1dc112f45ec605b817450388b1 16e523733cd5ad66ba09e91a47b624eed9_arm64: openshift-gitops-1/console-plugin-rhel8@sha256:9f9b1dc112f45ec605b817450388b116e 523733cd5ad66ba09e91a47b624eed9_arm64.rpm 11:openshift-gitops-1/console-plugin-rhel8@sha256:acd4ec75a69fbf1f04c1f825df2bf3 f6fcfdad2f594f441dc01985a3bca9ae75_ppc64le: openshift-gitops-1/console-plugin-rhel8@sha256:acd4ec75a69fbf1f04c1f825df2bf3f6f cfdad2f594f441dc01985a3bca9ae75_ppc64le.rpm 11:openshift-gitops-1/console-plugin-rhel8@sha256:c9947f0f6981e1b7e7a8919e59cb36 e981eab217d710101947a50f029f9d5864_amd64: openshift-gitops-1/console-plugin-rhel8@sha256:c9947f0f6981e1b7e7a8919e59cb36e98 1eab217d710101947a50f029f9d5864_amd64.rpm 11:openshift-gitops-1/dex-rhel8@sha256:2e20b3f1b6178faab7e1363efe0629998a18d93e1 34703312b729efdceac9069_amd64: openshift-gitops-1/dex-rhel8@sha256:2e20b3f1b6178faab7e1363efe0629998a18d93e1347 03312b729efdceac9069_amd64.rpm 11:openshift-gitops-1/dex-rhel8@sha256:37aa863fe717c6587e0d3079f1613e36d95d45c89 58d6e63940419b801f6cc75_ppc64le: openshift-gitops-1/dex-rhel8@sha256:37aa863fe717c6587e0d3079f1613e36d95d45c8958d 6e63940419b801f6cc75_ppc64le.rpm 11:openshift-gitops-1/dex-rhel8@sha256:567428139e895d1a8eea9baaea570ed24dc64dd7d 36e65167d029579fbf0cfd4_s390x: openshift-gitops-1/dex-rhel8@sha256:567428139e895d1a8eea9baaea570ed24dc64dd7d36e 65167d029579fbf0cfd4_s390x.rpm 11:openshift-gitops-1/dex-rhel8@sha256:ffefdc53c0d0b1c6ca36c83d4d0b3a48a5ccafa02 aa3c865450d0bc01cfc6983_arm64: openshift-gitops-1/dex-rhel8@sha256:ffefdc53c0d0b1c6ca36c83d4d0b3a48a5ccafa02aa3 c865450d0bc01cfc6983_arm64.rpm 11:openshift-gitops-1/gitops-operator-bundle@sha256:648d9e94bd34d93d425132a80b44 5cc2113f8068c803deb1c241fe73e1b21b56_amd64: openshift-gitops-1/gitops-operator-bundle@sha256:648d9e94bd34d93d425132a80b445cc 2113f8068c803deb1c241fe73e1b21b56_amd64.rpm 11:openshift-gitops-1/gitops-rhel8-operator@sha256:97cd97e2c99c69b94ab9a18d25151 14c32b39ea39f25aa5d560e107190e34fbb_s390x: openshift-gitops-1/gitops-rhel8-operator@sha256:97cd97e2c99c69b94ab9a18d2515114c 32b39ea39f25aa5d560e107190e34fbb_s390x.rpm 11:openshift-gitops-1/gitops-rhel8-operator@sha256:98c86ba6b3ba5ae4b5c21f1913693 174166a1e60a1c6da399e500ed6974ce72e_ppc64le: openshift-gitops-1/gitops-rhel8-operator@sha256:98c86ba6b3ba5ae4b5c21f1913693174 166a1e60a1c6da399e500ed6974ce72e_ppc64le.rpm 11:openshift-gitops-1/gitops-rhel8-operator@sha256:b263b478702fb4de022d5f9906273 842ce0613eaefdf6f4ee8f07fc5384f9857_amd64: openshift-gitops-1/gitops-rhel8-operator@sha256:b263b478702fb4de022d5f9906273842 ce0613eaefdf6f4ee8f07fc5384f9857_amd64.rpm 11:openshift-gitops-1/gitops-rhel8-operator@sha256:c5b00eadf15a9d84727630246efa0 51e8eb8c73106ada11acf1bc11bcd85f19d_arm64: openshift-gitops-1/gitops-rhel8-operator@sha256:c5b00eadf15a9d84727630246efa051e 8eb8c73106ada11acf1bc11bcd85f19d_arm64.rpm 11:openshift-gitops-1/gitops-rhel8@sha256:b655a97c3aeab2feca73b054e03e832172c688 6dbb29334f511d868be31de009_arm64: openshift-gitops-1/gitops-rhel8@sha256:b655a97c3aeab2feca73b054e03e832172c6886db b29334f511d868be31de009_arm64.rpm 11:openshift-gitops-1/gitops-rhel8@sha256:c947179654ddbef9a0268831920e19fd301187 701e5022863736b43d883bf027_ppc64le: openshift-gitops-1/gitops-rhel8@sha256:c947179654ddbef9a0268831920e19fd301187701 e5022863736b43d883bf027_ppc64le.rpm 11:openshift-gitops-1/gitops-rhel8@sha256:f1b5e410215abb50f6fa0b7575a75fd5d2f4a6 ad901566fca037c96a31455f07_amd64: openshift-gitops-1/gitops-rhel8@sha256:f1b5e410215abb50f6fa0b7575a75fd5d2f4a6ad9 01566fca037c96a31455f07_amd64.rpm 11:openshift-gitops-1/gitops-rhel8@sha256:f848e0bedee28d10351781cc25fb7662bfbf69 2d1ed2f5972032d7ed5d50ede6_s390x: openshift-gitops-1/gitops-rhel8@sha256:f848e0bedee28d10351781cc25fb7662bfbf692d1 ed2f5972032d7ed5d50ede6_s390x.rpm 11:openshift-gitops-1/kam-delivery-rhel8@sha256:243757043ae12bb32ada35638b39f0ad 8621dbb2a4f0b0ea2cc00ef22398e3c0_amd64: openshift-gitops-1/kam-delivery-rhel8@sha256:243757043ae12bb32ada35638b39f0ad862 1dbb2a4f0b0ea2cc00ef22398e3c0_amd64.rpm 11:openshift-gitops-1/kam-delivery-rhel8@sha256:341056443b4b4b73d399906ab4c67525 57b170a894f2791c8e96ac448dfd1094_ppc64le: openshift-gitops-1/kam-delivery-rhel8@sha256:341056443b4b4b73d399906ab4c6752557b 170a894f2791c8e96ac448dfd1094_ppc64le.rpm 11:openshift-gitops-1/kam-delivery-rhel8@sha256:3f57e8c1c090bf3e276966e15903c372 551b9360f4558589a66b5f5b112ba735_arm64: openshift-gitops-1/kam-delivery-rhel8@sha256:3f57e8c1c090bf3e276966e15903c372551 b9360f4558589a66b5f5b112ba735_arm64.rpm 11:openshift-gitops-1/kam-delivery-rhel8@sha256:fdaa10d7f6696f36f51aed47f96575a2 ef4bca1a4912af0c75ac4a2f4a0eb7cc_s390x: openshift-gitops-1/kam-delivery-rhel8@sha256:fdaa10d7f6696f36f51aed47f96575a2ef4 bca1a4912af0c75ac4a2f4a0eb7cc_s390x.rpm 11:openshift-gitops-1/must-gather-rhel8@sha256:38a621bda3e0b14787f3fe412ecf7016d 090f71d4645cfb1a196ac7c7bbf96f1_s390x: openshift-gitops-1/must-gather-rhel8@sha256:38a621bda3e0b14787f3fe412ecf7016d090 f71d4645cfb1a196ac7c7bbf96f1_s390x.rpm 11:openshift-gitops-1/must-gather-rhel8@sha256:8ae7446f334fafdcdd23886096566ee9a 9af6b1c74f825cc7d5ca2797cdc1dbf_amd64: openshift-gitops-1/must-gather-rhel8@sha256:8ae7446f334fafdcdd23886096566ee9a9af 6b1c74f825cc7d5ca2797cdc1dbf_amd64.rpm 11:openshift-gitops-1/must-gather-rhel8@sha256:dec2b37341e2ecdfd29288f623dbbfda3 88d24794d8e101adb18bd4e6ff6d2d1_arm64: openshift-gitops-1/must-gather-rhel8@sha256:dec2b37341e2ecdfd29288f623dbbfda388d 24794d8e101adb18bd4e6ff6d2d1_arm64.rpm 11:openshift-gitops-1/must-gather-rhel8@sha256:e4cf9b2d875fbedb7e317aa2038865e82 ef965e72f4d1ab3983adfaff11b791f_ppc64le: openshift-gitops-1/must-gather-rhel8@sha256:e4cf9b2d875fbedb7e317aa2038865e82ef9 65e72f4d1ab3983adfaff11b791f_ppc64le.rpm 7. References: https://access.redhat.com/security/cve/CVE-2023-50726 https://access.redhat.com/security/cve/CVE-2024-21652 https://access.redhat.com/security/cve/CVE-2024-21661 https://access.redhat.com/security/cve/CVE-2024-21662 https://access.redhat.com/security/cve/CVE-2024-29893 https://access.redhat.com/security/updates/classification/#important https://docs.openshift.com/gitops/1.11/release_notes/gitops-release-notes.html https://docs.openshift.com/gitops/1.11/understanding_openshift_gitops/about-redhat-openshift-gitops.html - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================