Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2314
Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug
Fixes
16 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Custom Metrics Autoscaler Operator for Red Hat OpenShift
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-47108 CVE-2024-28180 CVE-2023-39326
Original Bulletin:
https://access.redhat.com/errata/RHSA-2024:1812
Comment: CVSS (Max): 7.5 CVE-2023-47108 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Custom Metrics Autoscaler Operator for
Red Hat OpenShift 2.12.1-376 Bug Fixes
Advisory ID: RHSA-2024:1812
Product: OpenShift Custom Metrics Autoscaler 2
Advisory URL: https://access.redhat.com/errata/RHSA-2024:1812
Issue date: 2024-04-15
CVE Names: CVE-2023-39326 CVE-2023-47108 CVE-2024-28180
=====================================================================
1. Summary:
Custom Metrics Autoscaler Operator for Red Hat OpenShift including security
updates.
The following updates for the Custom Metric Autoscaler operator for Red Hat
OpenShift are now available:
* custom-metrics-autoscaler-adapter-container
* custom-metrics-autoscaler-admission-webhooks-container
* custom-metrics-autoscaler-container
* custom-metrics-autoscaler-operator-bundle-container
* custom-metrics-autoscaler-operator-container
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
2. Relevant releases/architectures:
OpenShift Custom Metrics Autoscaler 2 - amd64
3. Description:
The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional
operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows
workloads to be scaled using additional metrics sources other than pod metrics.
This release builds upon updated compiler, runtime library, and base images for
the purpose of resolving any potential security issues present in previous
toolset versions.
This version makes use of newer tools and libraries to address the following
issues:
golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via
HTTP requests (CVE-2023-39326)
jose-go: improper handling of highly compressed data (CVE-2024-28180)
opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound
cardinality metrics (CVE-2023-47108)
In addition, the following bug has been fixed:
Custom metrics operator memory leak when invalid scaledObject is defined
(prometheus scaler)
This release is based upon KEDA 2.12.1
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2253330 - CVE-2023-39326 - golang: net/http/internal: Denial of Service (DoS)
via Resource Consumption via HTTP requests
2251198 - CVE-2023-47108 - opentelemetry-go-contrib: DoS vulnerability in
otelgrpc due to unbound cardinality metrics
2268854 - CVE-2024-28180 - jose-go: improper handling of highly compressed data
6. Package List:
OpenShift Custom Metrics Autoscaler 2
8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@s
ha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64:
custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7
c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64.rpm
8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-
webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e
29de18_amd64:
custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha
256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64.rpm
8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle
@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64:
custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:03521
67d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64.rpm
8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@
sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64:
custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b80
09baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64.rpm
8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af
913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64:
custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273
f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64.rpm
7. References:
https://access.redhat.com/security/cve/CVE-2023-39326
https://access.redhat.com/security/cve/CVE-2023-47108
https://access.redhat.com/security/cve/CVE-2024-28180
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/security/cve/CVE-2024-28180
https://access.redhat.com/security/cve/CVE-2023-47108
https://access.redhat.com/security/cve/CVE-2023-39326
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================