Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2094
Errata Advisory for Red Hat OpenShift GitOps v1.10.4 security update
9 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift GitOps v1.10.4
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-50726 CVE-2024-21652 CVE-2024-21661
CVE-2024-21662 CVE-2024-29893
Original Bulletin:
https://access.redhat.com/errata/RHSA-2024:1700
Comment: CVSS (Max): 7.5 CVE-2024-21661 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Errata Advisory for Red Hat OpenShift
GitOps v1.10.4 security update
Advisory ID: RHSA-2024:1700
Product: Red Hat OpenShift GitOps 1.10
Advisory URL: https://access.redhat.com/errata/RHSA-2024:1700
Issue date: 2024-04-08
CVE Names: CVE-2023-50726 CVE-2024-21652 CVE-2024-21661 CVE-2024-21662
CVE-2024-29893
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift GitOps v1.10.4. Red Hat
Product Security has rated this update as having a security impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed
severity rating, is available for each vulnerability from the CVE link(s) in the
References section.
2. Relevant releases/architectures:
Red Hat OpenShift GitOps 1.10 - amd64, arm64, ppc64le, s390x
3. Description:
Errata Advisory for Red Hat OpenShift GitOps v1.10.4.
Security Fix(es):
* argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded
Environment (CVE-2024-21661)
* argo-cd: Users with `create` but not `override` privileges can perform local
sync (CVE-2023-50726)
* argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory
Data Loss (CVE-2024-21652)
* argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)
* argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache
Overflow(CVE-2024-21662)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2269479 - CVE-2023-50726 - Argo CD: Users with `create` but not `override`
privileges can perform local sync
2270170 - CVE-2024-21652 - argo-cd: Bypassing Brute Force Protection via
Application Crash and In-Memory Data Loss
2270173 - CVE-2024-21661 - argo-cd: Denial of Service Due to Unsafe Array
Modification in Multi-threaded Environment
2270182 - CVE-2024-21662 - argo-cd: Bypassing Rate Limit and Brute Force
Protection Using Cache Overflow
2272211 - CVE-2024-29893 - argo-cd: uncontrolled memory allocation vulnerability
6. Package List:
Red Hat OpenShift GitOps 1.10
10:openshift-gitops-1/argo-rollouts-rhel8@sha256:46cc90ff5d8e3be71bca64d8e9828ee
d5192a1f5977e56cd30532525f3b6a7e3_ppc64le:
openshift-gitops-1/argo-rollouts-rhel8@sha256:46cc90ff5d8e3be71bca64d8e9828eed51
92a1f5977e56cd30532525f3b6a7e3_ppc64le.rpm
10:openshift-gitops-1/argo-rollouts-rhel8@sha256:54d08845092953eb90563447db6061d
0db9b414ae20b2fe88d725d9d0bf9e3e8_arm64:
openshift-gitops-1/argo-rollouts-rhel8@sha256:54d08845092953eb90563447db6061d0db
9b414ae20b2fe88d725d9d0bf9e3e8_arm64.rpm
10:openshift-gitops-1/argo-rollouts-rhel8@sha256:6a57219d4878ddb4678b2fc2312e728
e6656ab11f976798de055855a280c3f32_amd64:
openshift-gitops-1/argo-rollouts-rhel8@sha256:6a57219d4878ddb4678b2fc2312e728e66
56ab11f976798de055855a280c3f32_amd64.rpm
10:openshift-gitops-1/argo-rollouts-rhel8@sha256:8fb5db95ab144d9615f54de90784edd
ff20866f0737a0c8e518c9a0cd0d563c4_s390x:
openshift-gitops-1/argo-rollouts-rhel8@sha256:8fb5db95ab144d9615f54de90784eddff2
0866f0737a0c8e518c9a0cd0d563c4_s390x.rpm
10:openshift-gitops-1/argocd-rhel8@sha256:065bf5f9e34cc22a1fbb6414c595910528bfc1
742128a71880fd26118cab9c65_arm64:
openshift-gitops-1/argocd-rhel8@sha256:065bf5f9e34cc22a1fbb6414c595910528bfc1742
128a71880fd26118cab9c65_arm64.rpm
10:openshift-gitops-1/argocd-rhel8@sha256:5699abd15b15bab2581fb5068a4492d24ecf6e
82825b9538f63145f2c8f6356a_amd64:
openshift-gitops-1/argocd-rhel8@sha256:5699abd15b15bab2581fb5068a4492d24ecf6e828
25b9538f63145f2c8f6356a_amd64.rpm
10:openshift-gitops-1/argocd-rhel8@sha256:d1fd491fde2306ac80e048721fdf71cf6f3c07
cb622f8c2baf89361490cb48eb_ppc64le:
openshift-gitops-1/argocd-rhel8@sha256:d1fd491fde2306ac80e048721fdf71cf6f3c07cb6
22f8c2baf89361490cb48eb_ppc64le.rpm
10:openshift-gitops-1/argocd-rhel8@sha256:e8a2bd1bc3c635e274263a2c2dfbec269ad345
7ff724acf4d3955795c03fd342_s390x:
openshift-gitops-1/argocd-rhel8@sha256:e8a2bd1bc3c635e274263a2c2dfbec269ad3457ff
724acf4d3955795c03fd342_s390x.rpm
10:openshift-gitops-1/console-plugin-rhel8@sha256:11ba1b269f55ffe9fde39d911f6ac8
d2efc58523b02642178cc4dc05b0530775_arm64:
openshift-gitops-1/console-plugin-rhel8@sha256:11ba1b269f55ffe9fde39d911f6ac8d2e
fc58523b02642178cc4dc05b0530775_arm64.rpm
10:openshift-gitops-1/console-plugin-rhel8@sha256:18bbb5cd8c229f1d42ef2226d3cb79
0e1174929bdd6c00be150345872873e881_ppc64le:
openshift-gitops-1/console-plugin-rhel8@sha256:18bbb5cd8c229f1d42ef2226d3cb790e1
174929bdd6c00be150345872873e881_ppc64le.rpm
10:openshift-gitops-1/console-plugin-rhel8@sha256:527f500b8a50923d4ffc1b3b41718f
1fec79b72896f3988fbf7fdc2b2fe9396b_amd64:
openshift-gitops-1/console-plugin-rhel8@sha256:527f500b8a50923d4ffc1b3b41718f1fe
c79b72896f3988fbf7fdc2b2fe9396b_amd64.rpm
10:openshift-gitops-1/console-plugin-rhel8@sha256:d3ac1434e9ed67672412e8bc34c86d
6cdd923df03cd53fd7db276f4a217e977e_s390x:
openshift-gitops-1/console-plugin-rhel8@sha256:d3ac1434e9ed67672412e8bc34c86d6cd
d923df03cd53fd7db276f4a217e977e_s390x.rpm
10:openshift-gitops-1/dex-rhel8@sha256:15170b76ccc5bc579cd83b42203c06c8acc9c2165
0354b3f2242bb9dfe0991a1_ppc64le:
openshift-gitops-1/dex-rhel8@sha256:15170b76ccc5bc579cd83b42203c06c8acc9c2165035
4b3f2242bb9dfe0991a1_ppc64le.rpm
10:openshift-gitops-1/dex-rhel8@sha256:229bcd4a16087125c39dafe272a6f11de4a10992a
5e40f86dd70e9e0c559454d_s390x:
openshift-gitops-1/dex-rhel8@sha256:229bcd4a16087125c39dafe272a6f11de4a10992a5e4
0f86dd70e9e0c559454d_s390x.rpm
10:openshift-gitops-1/dex-rhel8@sha256:5fa29842159465bffc0318152991562659b9925d9
04219d341fa1a7ae499b4c4_amd64:
openshift-gitops-1/dex-rhel8@sha256:5fa29842159465bffc0318152991562659b9925d9042
19d341fa1a7ae499b4c4_amd64.rpm
10:openshift-gitops-1/dex-rhel8@sha256:d692fbb1df809ecf83ed074c9b29cd3882590f88d
cf8a4baa94553dd48749468_arm64:
openshift-gitops-1/dex-rhel8@sha256:d692fbb1df809ecf83ed074c9b29cd3882590f88dcf8
a4baa94553dd48749468_arm64.rpm
10:openshift-gitops-1/gitops-operator-bundle@sha256:caae910cb099a74d24e3eab64923
1240bbb2064c8dcb059efeec5cd25b78602e_amd64:
openshift-gitops-1/gitops-operator-bundle@sha256:caae910cb099a74d24e3eab64923124
0bbb2064c8dcb059efeec5cd25b78602e_amd64.rpm
10:openshift-gitops-1/gitops-rhel8-operator@sha256:08b0db82840cec96793eae5997fa3
8798cfedd5f97ae98087b48c67c48f8a10b_ppc64le:
openshift-gitops-1/gitops-rhel8-operator@sha256:08b0db82840cec96793eae5997fa3879
8cfedd5f97ae98087b48c67c48f8a10b_ppc64le.rpm
10:openshift-gitops-1/gitops-rhel8-operator@sha256:809dfe55f788fed0e4359416b0342
d079030235a30148c6c1a5b301e1eae236c_amd64:
openshift-gitops-1/gitops-rhel8-operator@sha256:809dfe55f788fed0e4359416b0342d07
9030235a30148c6c1a5b301e1eae236c_amd64.rpm
10:openshift-gitops-1/gitops-rhel8-operator@sha256:cd2c0d4339fc02879008d31cffeb4
af8f5153af59f075416b1dad7cf341d0444_arm64:
openshift-gitops-1/gitops-rhel8-operator@sha256:cd2c0d4339fc02879008d31cffeb4af8
f5153af59f075416b1dad7cf341d0444_arm64.rpm
10:openshift-gitops-1/gitops-rhel8-operator@sha256:d71e522331b9f623f2f3d7d7d4420
3d757494e71fa7a7de714651345638e3ad5_s390x:
openshift-gitops-1/gitops-rhel8-operator@sha256:d71e522331b9f623f2f3d7d7d44203d7
57494e71fa7a7de714651345638e3ad5_s390x.rpm
10:openshift-gitops-1/gitops-rhel8@sha256:2e9b3f4392115dde520fcd4850cbc5ec144b3e
ff1d979cb0a6b246a601621e33_arm64:
openshift-gitops-1/gitops-rhel8@sha256:2e9b3f4392115dde520fcd4850cbc5ec144b3eff1
d979cb0a6b246a601621e33_arm64.rpm
10:openshift-gitops-1/gitops-rhel8@sha256:301fdc294a4d8fd99b76554117d063a3533007
649c3883838fbebe84bcd80df8_s390x:
openshift-gitops-1/gitops-rhel8@sha256:301fdc294a4d8fd99b76554117d063a3533007649
c3883838fbebe84bcd80df8_s390x.rpm
10:openshift-gitops-1/gitops-rhel8@sha256:3a023dd599791a30efb76f1877ec37302fc00f
07370c1dfd0b44c7024deb0af8_ppc64le:
openshift-gitops-1/gitops-rhel8@sha256:3a023dd599791a30efb76f1877ec37302fc00f073
70c1dfd0b44c7024deb0af8_ppc64le.rpm
10:openshift-gitops-1/gitops-rhel8@sha256:b2bab868a601143131434349afbe77f3d31023
c1f8d48419c8846e2013c44b26_amd64:
openshift-gitops-1/gitops-rhel8@sha256:b2bab868a601143131434349afbe77f3d31023c1f
8d48419c8846e2013c44b26_amd64.rpm
10:openshift-gitops-1/kam-delivery-rhel8@sha256:2a8b7da525a1095cc82e8be9cae17996
94227c05c98f86ef5795d5e140556603_s390x:
openshift-gitops-1/kam-delivery-rhel8@sha256:2a8b7da525a1095cc82e8be9cae17996942
27c05c98f86ef5795d5e140556603_s390x.rpm
10:openshift-gitops-1/kam-delivery-rhel8@sha256:3fab5ec91594d33ef9f06c310dc374b5
c36a5e976a28f6c99e4c0e6418d9e499_arm64:
openshift-gitops-1/kam-delivery-rhel8@sha256:3fab5ec91594d33ef9f06c310dc374b5c36
a5e976a28f6c99e4c0e6418d9e499_arm64.rpm
10:openshift-gitops-1/kam-delivery-rhel8@sha256:5842940f4651c37f2914d606272598b4
2f9668b189d8dfd69607a8c9ce69ed59_ppc64le:
openshift-gitops-1/kam-delivery-rhel8@sha256:5842940f4651c37f2914d606272598b42f9
668b189d8dfd69607a8c9ce69ed59_ppc64le.rpm
10:openshift-gitops-1/kam-delivery-rhel8@sha256:edf33e8a2678cfe91b942c0e8e096a0c
c1ce2d0e329540c30a45f84a33c8f318_amd64:
openshift-gitops-1/kam-delivery-rhel8@sha256:edf33e8a2678cfe91b942c0e8e096a0cc1c
e2d0e329540c30a45f84a33c8f318_amd64.rpm
10:openshift-gitops-1/must-gather-rhel8@sha256:5d394094da851d055c2c44788cc5114e4
56e1d6f4be01170b20d8f30b5e781e1_ppc64le:
openshift-gitops-1/must-gather-rhel8@sha256:5d394094da851d055c2c44788cc5114e456e
1d6f4be01170b20d8f30b5e781e1_ppc64le.rpm
10:openshift-gitops-1/must-gather-rhel8@sha256:76d564acd106a6a1a7bd7522a7e63d9f7
7e5e4d9b4a823744328a6e19e9cc06a_s390x:
openshift-gitops-1/must-gather-rhel8@sha256:76d564acd106a6a1a7bd7522a7e63d9f77e5
e4d9b4a823744328a6e19e9cc06a_s390x.rpm
10:openshift-gitops-1/must-gather-rhel8@sha256:94db2da6653de641ec792944bd27e7e8b
c0faa6a1621a9d3f3c2fdbf1e42478c_arm64:
openshift-gitops-1/must-gather-rhel8@sha256:94db2da6653de641ec792944bd27e7e8bc0f
aa6a1621a9d3f3c2fdbf1e42478c_arm64.rpm
10:openshift-gitops-1/must-gather-rhel8@sha256:f023473103d2a54daad783d4f479f79f8
a2d7db78a5bab1781c19b9e250cf4db_amd64:
openshift-gitops-1/must-gather-rhel8@sha256:f023473103d2a54daad783d4f479f79f8a2d
7db78a5bab1781c19b9e250cf4db_amd64.rpm
7. References:
https://access.redhat.com/security/cve/CVE-2023-50726
https://access.redhat.com/security/cve/CVE-2024-21652
https://access.redhat.com/security/cve/CVE-2024-21661
https://access.redhat.com/security/cve/CVE-2024-21662
https://access.redhat.com/security/cve/CVE-2024-29893
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/gitops/1.10/release_notes/gitops-release-notes.html
https://docs.openshift.com/gitops/1.10/understanding_openshift_gitops/about-redhat-openshift-gitops.html
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================