Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2302 VolSync 0.9.1 security fixes and enhancements 15 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VolSync Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2024-24786 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1795 Comment: CVSS (Max): 5.9 CVE-2024-24786 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: VolSync 0.9.1 security fixes and enhancements Advisory ID: RHSA-2024:1795 Product: Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 Advisory URL: https://access.redhat.com/errata/RHSA-2024:1795 Issue date: 2024-04-11 CVE Names: CVE-2024-24786 ===================================================================== 1. Summary: VolSync v0.9.1 general availability release images, which provide enhancements, security fixes, and updated container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 - s390x, ppc64le, arm64, amd64 3. Description: VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying the VolSync operator, it can create and maintain copies of your persistent data. For more information about VolSync, see: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_managemen t_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync or the VolSync open source community website at: https://volsync.readthedocs.io/en/stable/. This advisory contains enhancements and updates to the VolSync container images. Security fix(es): * CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON 4. Solution: For more details, see the Red Hat Advanced Cluster Management for Kubernetes documentation: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_managemen t_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync 5. Bugs fixed (https://bugzilla.redhat.com/): 2268046 - CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON 6. Package List: Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 10:rhacm2/volsync-operator-bundle@sha256:1ccb89c024508d3ffea1d24ec536ddcfbba6d47 200fa87052de354ef1bc127f9_amd64: rhacm2/volsync-operator-bundle@sha256:1ccb89c024508d3ffea1d24ec536ddcfbba6d47200 fa87052de354ef1bc127f9_amd64.rpm 10:rhacm2/volsync-rhel9@sha256:4a45e1e81d994cca51e8d9126029b7152f0fa4a39061549c5 2d2f8d88836358d_amd64: rhacm2/volsync-rhel9@sha256:4a45e1e81d994cca51e8d9126029b7152f0fa4a39061549c52d2 f8d88836358d_amd64.rpm 10:rhacm2/volsync-rhel9@sha256:abd52a1d65ab140fe084a5c2e7983075c6883f90252ccf4c8 ff0cab62c0660a3_arm64: rhacm2/volsync-rhel9@sha256:abd52a1d65ab140fe084a5c2e7983075c6883f90252ccf4c8ff0 cab62c0660a3_arm64.rpm 10:rhacm2/volsync-rhel9@sha256:b6fd77aa55250a1a9173a6e069cc9ee20b58cacb449e56f6e 02f017ef9f7a322_s390x: rhacm2/volsync-rhel9@sha256:b6fd77aa55250a1a9173a6e069cc9ee20b58cacb449e56f6e02f 017ef9f7a322_s390x.rpm 10:rhacm2/volsync-rhel9@sha256:d7b4f30ee489b4dd36cff82d5e0cb8190964aa1882ee80c65 f1050e949ba7287_ppc64le: rhacm2/volsync-rhel9@sha256:d7b4f30ee489b4dd36cff82d5e0cb8190964aa1882ee80c65f10 50e949ba7287_ppc64le.rpm 7. References: https://access.redhat.com/security/cve/CVE-2024-24786 https://access.redhat.com/security/updates/classification/#moderate - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================