Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2094 Errata Advisory for Red Hat OpenShift GitOps v1.10.4 security update 9 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift GitOps v1.10.4 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-50726 CVE-2024-21652 CVE-2024-21661 CVE-2024-21662 CVE-2024-29893 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1700 Comment: CVSS (Max): 7.5 CVE-2024-21661 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Important: Errata Advisory for Red Hat OpenShift GitOps v1.10.4 security update Advisory ID: RHSA-2024:1700 Product: Red Hat OpenShift GitOps 1.10 Advisory URL: https://access.redhat.com/errata/RHSA-2024:1700 Issue date: 2024-04-08 CVE Names: CVE-2023-50726 CVE-2024-21652 CVE-2024-21661 CVE-2024-21662 CVE-2024-29893 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift GitOps v1.10.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift GitOps 1.10 - amd64, arm64, ppc64le, s390x 3. Description: Errata Advisory for Red Hat OpenShift GitOps v1.10.4. Security Fix(es): * argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661) * argo-cd: Users with `create` but not `override` privileges can perform local sync (CVE-2023-50726) * argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652) * argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893) * argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow(CVE-2024-21662) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2269479 - CVE-2023-50726 - Argo CD: Users with `create` but not `override` privileges can perform local sync 2270170 - CVE-2024-21652 - argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss 2270173 - CVE-2024-21661 - argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment 2270182 - CVE-2024-21662 - argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow 2272211 - CVE-2024-29893 - argo-cd: uncontrolled memory allocation vulnerability 6. Package List: Red Hat OpenShift GitOps 1.10 10:openshift-gitops-1/argo-rollouts-rhel8@sha256:46cc90ff5d8e3be71bca64d8e9828ee d5192a1f5977e56cd30532525f3b6a7e3_ppc64le: openshift-gitops-1/argo-rollouts-rhel8@sha256:46cc90ff5d8e3be71bca64d8e9828eed51 92a1f5977e56cd30532525f3b6a7e3_ppc64le.rpm 10:openshift-gitops-1/argo-rollouts-rhel8@sha256:54d08845092953eb90563447db6061d 0db9b414ae20b2fe88d725d9d0bf9e3e8_arm64: openshift-gitops-1/argo-rollouts-rhel8@sha256:54d08845092953eb90563447db6061d0db 9b414ae20b2fe88d725d9d0bf9e3e8_arm64.rpm 10:openshift-gitops-1/argo-rollouts-rhel8@sha256:6a57219d4878ddb4678b2fc2312e728 e6656ab11f976798de055855a280c3f32_amd64: openshift-gitops-1/argo-rollouts-rhel8@sha256:6a57219d4878ddb4678b2fc2312e728e66 56ab11f976798de055855a280c3f32_amd64.rpm 10:openshift-gitops-1/argo-rollouts-rhel8@sha256:8fb5db95ab144d9615f54de90784edd ff20866f0737a0c8e518c9a0cd0d563c4_s390x: openshift-gitops-1/argo-rollouts-rhel8@sha256:8fb5db95ab144d9615f54de90784eddff2 0866f0737a0c8e518c9a0cd0d563c4_s390x.rpm 10:openshift-gitops-1/argocd-rhel8@sha256:065bf5f9e34cc22a1fbb6414c595910528bfc1 742128a71880fd26118cab9c65_arm64: openshift-gitops-1/argocd-rhel8@sha256:065bf5f9e34cc22a1fbb6414c595910528bfc1742 128a71880fd26118cab9c65_arm64.rpm 10:openshift-gitops-1/argocd-rhel8@sha256:5699abd15b15bab2581fb5068a4492d24ecf6e 82825b9538f63145f2c8f6356a_amd64: openshift-gitops-1/argocd-rhel8@sha256:5699abd15b15bab2581fb5068a4492d24ecf6e828 25b9538f63145f2c8f6356a_amd64.rpm 10:openshift-gitops-1/argocd-rhel8@sha256:d1fd491fde2306ac80e048721fdf71cf6f3c07 cb622f8c2baf89361490cb48eb_ppc64le: openshift-gitops-1/argocd-rhel8@sha256:d1fd491fde2306ac80e048721fdf71cf6f3c07cb6 22f8c2baf89361490cb48eb_ppc64le.rpm 10:openshift-gitops-1/argocd-rhel8@sha256:e8a2bd1bc3c635e274263a2c2dfbec269ad345 7ff724acf4d3955795c03fd342_s390x: openshift-gitops-1/argocd-rhel8@sha256:e8a2bd1bc3c635e274263a2c2dfbec269ad3457ff 724acf4d3955795c03fd342_s390x.rpm 10:openshift-gitops-1/console-plugin-rhel8@sha256:11ba1b269f55ffe9fde39d911f6ac8 d2efc58523b02642178cc4dc05b0530775_arm64: openshift-gitops-1/console-plugin-rhel8@sha256:11ba1b269f55ffe9fde39d911f6ac8d2e fc58523b02642178cc4dc05b0530775_arm64.rpm 10:openshift-gitops-1/console-plugin-rhel8@sha256:18bbb5cd8c229f1d42ef2226d3cb79 0e1174929bdd6c00be150345872873e881_ppc64le: openshift-gitops-1/console-plugin-rhel8@sha256:18bbb5cd8c229f1d42ef2226d3cb790e1 174929bdd6c00be150345872873e881_ppc64le.rpm 10:openshift-gitops-1/console-plugin-rhel8@sha256:527f500b8a50923d4ffc1b3b41718f 1fec79b72896f3988fbf7fdc2b2fe9396b_amd64: openshift-gitops-1/console-plugin-rhel8@sha256:527f500b8a50923d4ffc1b3b41718f1fe c79b72896f3988fbf7fdc2b2fe9396b_amd64.rpm 10:openshift-gitops-1/console-plugin-rhel8@sha256:d3ac1434e9ed67672412e8bc34c86d 6cdd923df03cd53fd7db276f4a217e977e_s390x: openshift-gitops-1/console-plugin-rhel8@sha256:d3ac1434e9ed67672412e8bc34c86d6cd d923df03cd53fd7db276f4a217e977e_s390x.rpm 10:openshift-gitops-1/dex-rhel8@sha256:15170b76ccc5bc579cd83b42203c06c8acc9c2165 0354b3f2242bb9dfe0991a1_ppc64le: openshift-gitops-1/dex-rhel8@sha256:15170b76ccc5bc579cd83b42203c06c8acc9c2165035 4b3f2242bb9dfe0991a1_ppc64le.rpm 10:openshift-gitops-1/dex-rhel8@sha256:229bcd4a16087125c39dafe272a6f11de4a10992a 5e40f86dd70e9e0c559454d_s390x: openshift-gitops-1/dex-rhel8@sha256:229bcd4a16087125c39dafe272a6f11de4a10992a5e4 0f86dd70e9e0c559454d_s390x.rpm 10:openshift-gitops-1/dex-rhel8@sha256:5fa29842159465bffc0318152991562659b9925d9 04219d341fa1a7ae499b4c4_amd64: openshift-gitops-1/dex-rhel8@sha256:5fa29842159465bffc0318152991562659b9925d9042 19d341fa1a7ae499b4c4_amd64.rpm 10:openshift-gitops-1/dex-rhel8@sha256:d692fbb1df809ecf83ed074c9b29cd3882590f88d cf8a4baa94553dd48749468_arm64: openshift-gitops-1/dex-rhel8@sha256:d692fbb1df809ecf83ed074c9b29cd3882590f88dcf8 a4baa94553dd48749468_arm64.rpm 10:openshift-gitops-1/gitops-operator-bundle@sha256:caae910cb099a74d24e3eab64923 1240bbb2064c8dcb059efeec5cd25b78602e_amd64: openshift-gitops-1/gitops-operator-bundle@sha256:caae910cb099a74d24e3eab64923124 0bbb2064c8dcb059efeec5cd25b78602e_amd64.rpm 10:openshift-gitops-1/gitops-rhel8-operator@sha256:08b0db82840cec96793eae5997fa3 8798cfedd5f97ae98087b48c67c48f8a10b_ppc64le: openshift-gitops-1/gitops-rhel8-operator@sha256:08b0db82840cec96793eae5997fa3879 8cfedd5f97ae98087b48c67c48f8a10b_ppc64le.rpm 10:openshift-gitops-1/gitops-rhel8-operator@sha256:809dfe55f788fed0e4359416b0342 d079030235a30148c6c1a5b301e1eae236c_amd64: openshift-gitops-1/gitops-rhel8-operator@sha256:809dfe55f788fed0e4359416b0342d07 9030235a30148c6c1a5b301e1eae236c_amd64.rpm 10:openshift-gitops-1/gitops-rhel8-operator@sha256:cd2c0d4339fc02879008d31cffeb4 af8f5153af59f075416b1dad7cf341d0444_arm64: openshift-gitops-1/gitops-rhel8-operator@sha256:cd2c0d4339fc02879008d31cffeb4af8 f5153af59f075416b1dad7cf341d0444_arm64.rpm 10:openshift-gitops-1/gitops-rhel8-operator@sha256:d71e522331b9f623f2f3d7d7d4420 3d757494e71fa7a7de714651345638e3ad5_s390x: openshift-gitops-1/gitops-rhel8-operator@sha256:d71e522331b9f623f2f3d7d7d44203d7 57494e71fa7a7de714651345638e3ad5_s390x.rpm 10:openshift-gitops-1/gitops-rhel8@sha256:2e9b3f4392115dde520fcd4850cbc5ec144b3e ff1d979cb0a6b246a601621e33_arm64: openshift-gitops-1/gitops-rhel8@sha256:2e9b3f4392115dde520fcd4850cbc5ec144b3eff1 d979cb0a6b246a601621e33_arm64.rpm 10:openshift-gitops-1/gitops-rhel8@sha256:301fdc294a4d8fd99b76554117d063a3533007 649c3883838fbebe84bcd80df8_s390x: openshift-gitops-1/gitops-rhel8@sha256:301fdc294a4d8fd99b76554117d063a3533007649 c3883838fbebe84bcd80df8_s390x.rpm 10:openshift-gitops-1/gitops-rhel8@sha256:3a023dd599791a30efb76f1877ec37302fc00f 07370c1dfd0b44c7024deb0af8_ppc64le: openshift-gitops-1/gitops-rhel8@sha256:3a023dd599791a30efb76f1877ec37302fc00f073 70c1dfd0b44c7024deb0af8_ppc64le.rpm 10:openshift-gitops-1/gitops-rhel8@sha256:b2bab868a601143131434349afbe77f3d31023 c1f8d48419c8846e2013c44b26_amd64: openshift-gitops-1/gitops-rhel8@sha256:b2bab868a601143131434349afbe77f3d31023c1f 8d48419c8846e2013c44b26_amd64.rpm 10:openshift-gitops-1/kam-delivery-rhel8@sha256:2a8b7da525a1095cc82e8be9cae17996 94227c05c98f86ef5795d5e140556603_s390x: openshift-gitops-1/kam-delivery-rhel8@sha256:2a8b7da525a1095cc82e8be9cae17996942 27c05c98f86ef5795d5e140556603_s390x.rpm 10:openshift-gitops-1/kam-delivery-rhel8@sha256:3fab5ec91594d33ef9f06c310dc374b5 c36a5e976a28f6c99e4c0e6418d9e499_arm64: openshift-gitops-1/kam-delivery-rhel8@sha256:3fab5ec91594d33ef9f06c310dc374b5c36 a5e976a28f6c99e4c0e6418d9e499_arm64.rpm 10:openshift-gitops-1/kam-delivery-rhel8@sha256:5842940f4651c37f2914d606272598b4 2f9668b189d8dfd69607a8c9ce69ed59_ppc64le: openshift-gitops-1/kam-delivery-rhel8@sha256:5842940f4651c37f2914d606272598b42f9 668b189d8dfd69607a8c9ce69ed59_ppc64le.rpm 10:openshift-gitops-1/kam-delivery-rhel8@sha256:edf33e8a2678cfe91b942c0e8e096a0c c1ce2d0e329540c30a45f84a33c8f318_amd64: openshift-gitops-1/kam-delivery-rhel8@sha256:edf33e8a2678cfe91b942c0e8e096a0cc1c e2d0e329540c30a45f84a33c8f318_amd64.rpm 10:openshift-gitops-1/must-gather-rhel8@sha256:5d394094da851d055c2c44788cc5114e4 56e1d6f4be01170b20d8f30b5e781e1_ppc64le: openshift-gitops-1/must-gather-rhel8@sha256:5d394094da851d055c2c44788cc5114e456e 1d6f4be01170b20d8f30b5e781e1_ppc64le.rpm 10:openshift-gitops-1/must-gather-rhel8@sha256:76d564acd106a6a1a7bd7522a7e63d9f7 7e5e4d9b4a823744328a6e19e9cc06a_s390x: openshift-gitops-1/must-gather-rhel8@sha256:76d564acd106a6a1a7bd7522a7e63d9f77e5 e4d9b4a823744328a6e19e9cc06a_s390x.rpm 10:openshift-gitops-1/must-gather-rhel8@sha256:94db2da6653de641ec792944bd27e7e8b c0faa6a1621a9d3f3c2fdbf1e42478c_arm64: openshift-gitops-1/must-gather-rhel8@sha256:94db2da6653de641ec792944bd27e7e8bc0f aa6a1621a9d3f3c2fdbf1e42478c_arm64.rpm 10:openshift-gitops-1/must-gather-rhel8@sha256:f023473103d2a54daad783d4f479f79f8 a2d7db78a5bab1781c19b9e250cf4db_amd64: openshift-gitops-1/must-gather-rhel8@sha256:f023473103d2a54daad783d4f479f79f8a2d 7db78a5bab1781c19b9e250cf4db_amd64.rpm 7. References: https://access.redhat.com/security/cve/CVE-2023-50726 https://access.redhat.com/security/cve/CVE-2024-21652 https://access.redhat.com/security/cve/CVE-2024-21661 https://access.redhat.com/security/cve/CVE-2024-21662 https://access.redhat.com/security/cve/CVE-2024-29893 https://access.redhat.com/security/updates/classification/#important https://docs.openshift.com/gitops/1.10/release_notes/gitops-release-notes.html https://docs.openshift.com/gitops/1.10/understanding_openshift_gitops/about-redhat-openshift-gitops.html - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================