Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2314 Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug Fixes 16 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Custom Metrics Autoscaler Operator for Red Hat OpenShift Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-47108 CVE-2024-28180 CVE-2023-39326 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1812 Comment: CVSS (Max): 7.5 CVE-2023-47108 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug Fixes Advisory ID: RHSA-2024:1812 Product: OpenShift Custom Metrics Autoscaler 2 Advisory URL: https://access.redhat.com/errata/RHSA-2024:1812 Issue date: 2024-04-15 CVE Names: CVE-2023-39326 CVE-2023-47108 CVE-2024-28180 ===================================================================== 1. Summary: Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. The following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available: * custom-metrics-autoscaler-adapter-container * custom-metrics-autoscaler-admission-webhooks-container * custom-metrics-autoscaler-container * custom-metrics-autoscaler-operator-bundle-container * custom-metrics-autoscaler-operator-container Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Custom Metrics Autoscaler 2 - amd64 3. Description: The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics. This release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions. This version makes use of newer tools and libraries to address the following issues: golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326) jose-go: improper handling of highly compressed data (CVE-2024-28180) opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108) In addition, the following bug has been fixed: Custom metrics operator memory leak when invalid scaledObject is defined (prometheus scaler) This release is based upon KEDA 2.12.1 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2253330 - CVE-2023-39326 - golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests 2251198 - CVE-2023-47108 - opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics 2268854 - CVE-2024-28180 - jose-go: improper handling of highly compressed data 6. Package List: OpenShift Custom Metrics Autoscaler 2 8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@s ha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64: custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7 c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64.rpm 8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission- webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e 29de18_amd64: custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha 256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64.rpm 8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle @sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64: custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:03521 67d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64.rpm 8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@ sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64: custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b80 09baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64.rpm 8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af 913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64: custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273 f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64.rpm 7. References: https://access.redhat.com/security/cve/CVE-2023-39326 https://access.redhat.com/security/cve/CVE-2023-47108 https://access.redhat.com/security/cve/CVE-2024-28180 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/security/cve/CVE-2024-28180 https://access.redhat.com/security/cve/CVE-2023-47108 https://access.redhat.com/security/cve/CVE-2023-39326 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================