Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2093
Errata Advisory for Red Hat OpenShift GitOps v1.11.3 security update
9 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift GitOps v1.11.3
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-50726 CVE-2024-21652 CVE-2024-21661
CVE-2024-21662 CVE-2024-29893
Original Bulletin:
https://access.redhat.com/errata/RHSA-2024:1697
Comment: CVSS (Max): 7.5 CVE-2024-21661 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Errata Advisory for Red Hat OpenShift
GitOps v1.11.3 security update
Advisory ID: RHSA-2024:1697
Product: Red Hat OpenShift GitOps 1.11
Advisory URL: https://access.redhat.com/errata/RHSA-2024:1697
Issue date: 2024-04-08
CVE Names: CVE-2023-50726 CVE-2024-21652 CVE-2024-21661 CVE-2024-21662
CVE-2024-29893
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift GitOps v1.11.3. Red Hat
Product Security has rated this update as having a security impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed
severity rating, is available for each vulnerability from the CVE link(s) in the
References section.
2. Relevant releases/architectures:
Red Hat OpenShift GitOps 1.11 - amd64, arm64, ppc64le, s390x
3. Description:
Errata Advisory for Red Hat OpenShift GitOps v1.11.3.
Security Fix(es):
* argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded
Environment (CVE-2024-21661)
* argo-cd: Users with `create` but not `override` privileges can perform local
sync (CVE-2023-50726)
* argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory
Data Loss (CVE-2024-21652)
* argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)
* argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
(CVE-2024-21662)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2269479 - CVE-2023-50726 - Argo CD: Users with `create` but not `override`
privileges can perform local sync
2270170 - CVE-2024-21652 - argo-cd: Bypassing Brute Force Protection via
Application Crash and In-Memory Data Loss
2270173 - CVE-2024-21661 - argo-cd: Denial of Service Due to Unsafe Array
Modification in Multi-threaded Environment
2270182 - CVE-2024-21662 - argo-cd: Bypassing Rate Limit and Brute Force
Protection Using Cache Overflow
2272211 - CVE-2024-29893 - argo-cd: uncontrolled memory allocation vulnerability
6. Package List:
Red Hat OpenShift GitOps 1.11
11:openshift-gitops-1/argo-rollouts-rhel8@sha256:6127403dba805efc36d574037cd42a2
8d6b9890ee90695f8bf55d9050a2cf484_s390x:
openshift-gitops-1/argo-rollouts-rhel8@sha256:6127403dba805efc36d574037cd42a28d6
b9890ee90695f8bf55d9050a2cf484_s390x.rpm
11:openshift-gitops-1/argo-rollouts-rhel8@sha256:b9b41d7e3bf03fd203164e1ec9bc894
e824decee530a73a3ac64ebd023f0df70_ppc64le:
openshift-gitops-1/argo-rollouts-rhel8@sha256:b9b41d7e3bf03fd203164e1ec9bc894e82
4decee530a73a3ac64ebd023f0df70_ppc64le.rpm
11:openshift-gitops-1/argo-rollouts-rhel8@sha256:dfb51f001b4ff4b926e5651e66c71fd
c3fd5ffa56744b401c648ba1e6a04b461_arm64:
openshift-gitops-1/argo-rollouts-rhel8@sha256:dfb51f001b4ff4b926e5651e66c71fdc3f
d5ffa56744b401c648ba1e6a04b461_arm64.rpm
11:openshift-gitops-1/argo-rollouts-rhel8@sha256:f90e8392c932d527fd720a016341484
be74a8934cea153322ad76e192b995d9e_amd64:
openshift-gitops-1/argo-rollouts-rhel8@sha256:f90e8392c932d527fd720a016341484be7
4a8934cea153322ad76e192b995d9e_amd64.rpm
11:openshift-gitops-1/argocd-rhel8@sha256:6a130b07e68b8e30d78d8d6db6f85b718583fc
3ceb35827834a46bd07cee1727_amd64:
openshift-gitops-1/argocd-rhel8@sha256:6a130b07e68b8e30d78d8d6db6f85b718583fc3ce
b35827834a46bd07cee1727_amd64.rpm
11:openshift-gitops-1/argocd-rhel8@sha256:c8bc4553ee07fe306549c3a915bc7822ac2fcc
c1895be00d91a2d5113a0f9231_s390x:
openshift-gitops-1/argocd-rhel8@sha256:c8bc4553ee07fe306549c3a915bc7822ac2fccc18
95be00d91a2d5113a0f9231_s390x.rpm
11:openshift-gitops-1/argocd-rhel8@sha256:fb2afdfdfe8744e2840695b6f4f77f257d7c6f
554cb02c9ca6c277bc2d2772be_ppc64le:
openshift-gitops-1/argocd-rhel8@sha256:fb2afdfdfe8744e2840695b6f4f77f257d7c6f554
cb02c9ca6c277bc2d2772be_ppc64le.rpm
11:openshift-gitops-1/argocd-rhel8@sha256:fbd1daea3cfa54e43089f97b6ce1887e5f4df0
27bde9d20ab7e32d1e221b757d_arm64:
openshift-gitops-1/argocd-rhel8@sha256:fbd1daea3cfa54e43089f97b6ce1887e5f4df027b
de9d20ab7e32d1e221b757d_arm64.rpm
11:openshift-gitops-1/console-plugin-rhel8@sha256:339617f04389e835b127ed280aeda5
f43f6817988c9ebe0ecd0f609b149c3b82_s390x:
openshift-gitops-1/console-plugin-rhel8@sha256:339617f04389e835b127ed280aeda5f43
f6817988c9ebe0ecd0f609b149c3b82_s390x.rpm
11:openshift-gitops-1/console-plugin-rhel8@sha256:9f9b1dc112f45ec605b817450388b1
16e523733cd5ad66ba09e91a47b624eed9_arm64:
openshift-gitops-1/console-plugin-rhel8@sha256:9f9b1dc112f45ec605b817450388b116e
523733cd5ad66ba09e91a47b624eed9_arm64.rpm
11:openshift-gitops-1/console-plugin-rhel8@sha256:acd4ec75a69fbf1f04c1f825df2bf3
f6fcfdad2f594f441dc01985a3bca9ae75_ppc64le:
openshift-gitops-1/console-plugin-rhel8@sha256:acd4ec75a69fbf1f04c1f825df2bf3f6f
cfdad2f594f441dc01985a3bca9ae75_ppc64le.rpm
11:openshift-gitops-1/console-plugin-rhel8@sha256:c9947f0f6981e1b7e7a8919e59cb36
e981eab217d710101947a50f029f9d5864_amd64:
openshift-gitops-1/console-plugin-rhel8@sha256:c9947f0f6981e1b7e7a8919e59cb36e98
1eab217d710101947a50f029f9d5864_amd64.rpm
11:openshift-gitops-1/dex-rhel8@sha256:2e20b3f1b6178faab7e1363efe0629998a18d93e1
34703312b729efdceac9069_amd64:
openshift-gitops-1/dex-rhel8@sha256:2e20b3f1b6178faab7e1363efe0629998a18d93e1347
03312b729efdceac9069_amd64.rpm
11:openshift-gitops-1/dex-rhel8@sha256:37aa863fe717c6587e0d3079f1613e36d95d45c89
58d6e63940419b801f6cc75_ppc64le:
openshift-gitops-1/dex-rhel8@sha256:37aa863fe717c6587e0d3079f1613e36d95d45c8958d
6e63940419b801f6cc75_ppc64le.rpm
11:openshift-gitops-1/dex-rhel8@sha256:567428139e895d1a8eea9baaea570ed24dc64dd7d
36e65167d029579fbf0cfd4_s390x:
openshift-gitops-1/dex-rhel8@sha256:567428139e895d1a8eea9baaea570ed24dc64dd7d36e
65167d029579fbf0cfd4_s390x.rpm
11:openshift-gitops-1/dex-rhel8@sha256:ffefdc53c0d0b1c6ca36c83d4d0b3a48a5ccafa02
aa3c865450d0bc01cfc6983_arm64:
openshift-gitops-1/dex-rhel8@sha256:ffefdc53c0d0b1c6ca36c83d4d0b3a48a5ccafa02aa3
c865450d0bc01cfc6983_arm64.rpm
11:openshift-gitops-1/gitops-operator-bundle@sha256:648d9e94bd34d93d425132a80b44
5cc2113f8068c803deb1c241fe73e1b21b56_amd64:
openshift-gitops-1/gitops-operator-bundle@sha256:648d9e94bd34d93d425132a80b445cc
2113f8068c803deb1c241fe73e1b21b56_amd64.rpm
11:openshift-gitops-1/gitops-rhel8-operator@sha256:97cd97e2c99c69b94ab9a18d25151
14c32b39ea39f25aa5d560e107190e34fbb_s390x:
openshift-gitops-1/gitops-rhel8-operator@sha256:97cd97e2c99c69b94ab9a18d2515114c
32b39ea39f25aa5d560e107190e34fbb_s390x.rpm
11:openshift-gitops-1/gitops-rhel8-operator@sha256:98c86ba6b3ba5ae4b5c21f1913693
174166a1e60a1c6da399e500ed6974ce72e_ppc64le:
openshift-gitops-1/gitops-rhel8-operator@sha256:98c86ba6b3ba5ae4b5c21f1913693174
166a1e60a1c6da399e500ed6974ce72e_ppc64le.rpm
11:openshift-gitops-1/gitops-rhel8-operator@sha256:b263b478702fb4de022d5f9906273
842ce0613eaefdf6f4ee8f07fc5384f9857_amd64:
openshift-gitops-1/gitops-rhel8-operator@sha256:b263b478702fb4de022d5f9906273842
ce0613eaefdf6f4ee8f07fc5384f9857_amd64.rpm
11:openshift-gitops-1/gitops-rhel8-operator@sha256:c5b00eadf15a9d84727630246efa0
51e8eb8c73106ada11acf1bc11bcd85f19d_arm64:
openshift-gitops-1/gitops-rhel8-operator@sha256:c5b00eadf15a9d84727630246efa051e
8eb8c73106ada11acf1bc11bcd85f19d_arm64.rpm
11:openshift-gitops-1/gitops-rhel8@sha256:b655a97c3aeab2feca73b054e03e832172c688
6dbb29334f511d868be31de009_arm64:
openshift-gitops-1/gitops-rhel8@sha256:b655a97c3aeab2feca73b054e03e832172c6886db
b29334f511d868be31de009_arm64.rpm
11:openshift-gitops-1/gitops-rhel8@sha256:c947179654ddbef9a0268831920e19fd301187
701e5022863736b43d883bf027_ppc64le:
openshift-gitops-1/gitops-rhel8@sha256:c947179654ddbef9a0268831920e19fd301187701
e5022863736b43d883bf027_ppc64le.rpm
11:openshift-gitops-1/gitops-rhel8@sha256:f1b5e410215abb50f6fa0b7575a75fd5d2f4a6
ad901566fca037c96a31455f07_amd64:
openshift-gitops-1/gitops-rhel8@sha256:f1b5e410215abb50f6fa0b7575a75fd5d2f4a6ad9
01566fca037c96a31455f07_amd64.rpm
11:openshift-gitops-1/gitops-rhel8@sha256:f848e0bedee28d10351781cc25fb7662bfbf69
2d1ed2f5972032d7ed5d50ede6_s390x:
openshift-gitops-1/gitops-rhel8@sha256:f848e0bedee28d10351781cc25fb7662bfbf692d1
ed2f5972032d7ed5d50ede6_s390x.rpm
11:openshift-gitops-1/kam-delivery-rhel8@sha256:243757043ae12bb32ada35638b39f0ad
8621dbb2a4f0b0ea2cc00ef22398e3c0_amd64:
openshift-gitops-1/kam-delivery-rhel8@sha256:243757043ae12bb32ada35638b39f0ad862
1dbb2a4f0b0ea2cc00ef22398e3c0_amd64.rpm
11:openshift-gitops-1/kam-delivery-rhel8@sha256:341056443b4b4b73d399906ab4c67525
57b170a894f2791c8e96ac448dfd1094_ppc64le:
openshift-gitops-1/kam-delivery-rhel8@sha256:341056443b4b4b73d399906ab4c6752557b
170a894f2791c8e96ac448dfd1094_ppc64le.rpm
11:openshift-gitops-1/kam-delivery-rhel8@sha256:3f57e8c1c090bf3e276966e15903c372
551b9360f4558589a66b5f5b112ba735_arm64:
openshift-gitops-1/kam-delivery-rhel8@sha256:3f57e8c1c090bf3e276966e15903c372551
b9360f4558589a66b5f5b112ba735_arm64.rpm
11:openshift-gitops-1/kam-delivery-rhel8@sha256:fdaa10d7f6696f36f51aed47f96575a2
ef4bca1a4912af0c75ac4a2f4a0eb7cc_s390x:
openshift-gitops-1/kam-delivery-rhel8@sha256:fdaa10d7f6696f36f51aed47f96575a2ef4
bca1a4912af0c75ac4a2f4a0eb7cc_s390x.rpm
11:openshift-gitops-1/must-gather-rhel8@sha256:38a621bda3e0b14787f3fe412ecf7016d
090f71d4645cfb1a196ac7c7bbf96f1_s390x:
openshift-gitops-1/must-gather-rhel8@sha256:38a621bda3e0b14787f3fe412ecf7016d090
f71d4645cfb1a196ac7c7bbf96f1_s390x.rpm
11:openshift-gitops-1/must-gather-rhel8@sha256:8ae7446f334fafdcdd23886096566ee9a
9af6b1c74f825cc7d5ca2797cdc1dbf_amd64:
openshift-gitops-1/must-gather-rhel8@sha256:8ae7446f334fafdcdd23886096566ee9a9af
6b1c74f825cc7d5ca2797cdc1dbf_amd64.rpm
11:openshift-gitops-1/must-gather-rhel8@sha256:dec2b37341e2ecdfd29288f623dbbfda3
88d24794d8e101adb18bd4e6ff6d2d1_arm64:
openshift-gitops-1/must-gather-rhel8@sha256:dec2b37341e2ecdfd29288f623dbbfda388d
24794d8e101adb18bd4e6ff6d2d1_arm64.rpm
11:openshift-gitops-1/must-gather-rhel8@sha256:e4cf9b2d875fbedb7e317aa2038865e82
ef965e72f4d1ab3983adfaff11b791f_ppc64le:
openshift-gitops-1/must-gather-rhel8@sha256:e4cf9b2d875fbedb7e317aa2038865e82ef9
65e72f4d1ab3983adfaff11b791f_ppc64le.rpm
7. References:
https://access.redhat.com/security/cve/CVE-2023-50726
https://access.redhat.com/security/cve/CVE-2024-21652
https://access.redhat.com/security/cve/CVE-2024-21661
https://access.redhat.com/security/cve/CVE-2024-21662
https://access.redhat.com/security/cve/CVE-2024-29893
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/gitops/1.11/release_notes/gitops-release-notes.html
https://docs.openshift.com/gitops/1.11/understanding_openshift_gitops/about-redhat-openshift-gitops.html
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================