Operating System:

[RedHat]

Published:

15 April 2024

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2024.2302 

===========================================================================
             AUSCERT External Security Bulletin Redistribution             
                                                                           
                               ESB-2024.2302                               
               VolSync 0.9.1 security fixes and enhancements               
                               15 April 2024                               
                                                                           
===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VolSync                                                 
Publisher:         Red Hat                                                 
Operating System:  Red Hat                                                 
Resolution:        Patch/Upgrade                                           
CVE Names:         CVE-2024-24786                                          

Original Bulletin:
   https://access.redhat.com/errata/RHSA-2024:1795

Comment: CVSS (Max):  5.9 CVE-2024-24786 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat                                              
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Moderate: VolSync 0.9.1 security fixes and
                   enhancements
Advisory ID:       RHSA-2024:1795
Product:           Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9
Advisory URL:      https://access.redhat.com/errata/RHSA-2024:1795
Issue date:        2024-04-11
CVE Names:         CVE-2024-24786
=====================================================================

1. Summary:

VolSync v0.9.1 general availability release images, which provide
enhancements, security fixes, and updated container images.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 - s390x,
ppc64le, arm64, amd64

3. Description:

VolSync is a Kubernetes operator that enables asynchronous replication of
persistent volumes within a cluster, or across clusters. After deploying
the VolSync operator, it can create and maintain copies of your persistent
data.

For more information about VolSync, see:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_managemen
t_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync

or the VolSync open source community website at:
https://volsync.readthedocs.io/en/stable/.

This advisory contains enhancements and updates to the VolSync
container images.

Security fix(es):
* CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json:
infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid
JSON

4. Solution:

For more details, see the Red Hat Advanced Cluster Management for Kubernetes
documentation:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_managemen
t_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync

5. Bugs fixed (https://bugzilla.redhat.com/):

2268046 - CVE-2024-24786 - golang-protobuf: encoding/protojson,
internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling
certain forms of invalid JSON

6. Package List:

Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

10:rhacm2/volsync-operator-bundle@sha256:1ccb89c024508d3ffea1d24ec536ddcfbba6d47
200fa87052de354ef1bc127f9_amd64:
rhacm2/volsync-operator-bundle@sha256:1ccb89c024508d3ffea1d24ec536ddcfbba6d47200
fa87052de354ef1bc127f9_amd64.rpm

10:rhacm2/volsync-rhel9@sha256:4a45e1e81d994cca51e8d9126029b7152f0fa4a39061549c5
2d2f8d88836358d_amd64:
rhacm2/volsync-rhel9@sha256:4a45e1e81d994cca51e8d9126029b7152f0fa4a39061549c52d2
f8d88836358d_amd64.rpm

10:rhacm2/volsync-rhel9@sha256:abd52a1d65ab140fe084a5c2e7983075c6883f90252ccf4c8
ff0cab62c0660a3_arm64:
rhacm2/volsync-rhel9@sha256:abd52a1d65ab140fe084a5c2e7983075c6883f90252ccf4c8ff0
cab62c0660a3_arm64.rpm

10:rhacm2/volsync-rhel9@sha256:b6fd77aa55250a1a9173a6e069cc9ee20b58cacb449e56f6e
02f017ef9f7a322_s390x:
rhacm2/volsync-rhel9@sha256:b6fd77aa55250a1a9173a6e069cc9ee20b58cacb449e56f6e02f
017ef9f7a322_s390x.rpm

10:rhacm2/volsync-rhel9@sha256:d7b4f30ee489b4dd36cff82d5e0cb8190964aa1882ee80c65
f1050e949ba7287_ppc64le:
rhacm2/volsync-rhel9@sha256:d7b4f30ee489b4dd36cff82d5e0cb8190964aa1882ee80c65f10
50e949ba7287_ppc64le.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2024-24786
https://access.redhat.com/security/updates/classification/#moderate

- --------------------------END INCLUDED TEXT----------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================