Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6111 OpenShift Virtualization 4.9.7 Images security update 23 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Virtualization 4.9.7 Images Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-41974 CVE-2022-40674 CVE-2022-38178 CVE-2022-38177 CVE-2022-21166 CVE-2022-21125 CVE-2022-21123 CVE-2022-3515 CVE-2022-2588 CVE-2022-1996 CVE-2021-45486 CVE-2021-45485 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8609 Comment: CVSS (Max): 9.8 CVE-2022-40674 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Virtualization 4.9.7 Images security update Advisory ID: RHSA-2022:8609-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2022:8609 Issue date: 2022-11-22 CVE Names: CVE-2021-45485 CVE-2021-45486 CVE-2022-1996 CVE-2022-2588 CVE-2022-3515 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-38177 CVE-2022-38178 CVE-2022-40674 CVE-2022-41974 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.9.7 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.9.7 images. Security Fix(es): * go-restful: Authorization Bypass Through User-Controlled Key (CVE-2022-1996) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2094982 - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key 2130218 - 4.9.7 containers 5. References: https://access.redhat.com/security/cve/CVE-2021-45485 https://access.redhat.com/security/cve/CVE-2021-45486 https://access.redhat.com/security/cve/CVE-2022-1996 https://access.redhat.com/security/cve/CVE-2022-2588 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-21123 https://access.redhat.com/security/cve/CVE-2022-21125 https://access.redhat.com/security/cve/CVE-2022-21166 https://access.redhat.com/security/cve/CVE-2022-38177 https://access.redhat.com/security/cve/CVE-2022-38178 https://access.redhat.com/security/cve/CVE-2022-40674 https://access.redhat.com/security/cve/CVE-2022-41974 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY31vhNzjgjWX9erEAQjLMQ/+J/+VUj/jICo9Sx0t/uYTXsHYcQNfeAYC SFRMYW9qV3Ofw7kCDBDWvdkiAjeCc7g2IO8954cZvMqXrP/XBlzuFWL1SKTm8juD rKz2qrbRtnrsoHIILF5Lazs/473ZCK4gEVVtvWbNk1a/ezEFktr3DqMgClaS27xu Z2xSYfFBDHdV//YIrRakdC1V9yQNe5aY49t38ivAsVu+8r4wi//cohoMTCpmNlgm DmiOwUpXcMwTkSOuRsxMxRgGedwcA34zqx4g9+z5IPpEREUBQAdsGfJiCOjp1Xfl n2fM8n5wtzCYBL3j755IqrvY0sxcf2g8yfxu2ZeU8M0q7QUP+KI+0oeEoNFiNCP9 iTvVNqXjqen2cM1iXRPYWuhSHTlTIgBLF9srWrqdB/V6HDWQjQB9esYwiS7iuX+2 DTZpplZonSP2J2AclJgn40owJaFzSu6NlWPm+pchXMVzUbNo0uixk64Kp5kmpFUR J6vXse1v+sB262JW7It+EDMsfkzj8fyWB7qG5YfvkE+DHsLpptg5n6XfdiT6f9Lk 2JsoYBQCWTr+TPEa50pwO6evpDYaHfhaYLgN68wtA3CVKKpam6xxRQtLNBYvz455 PTekNGCjZk6aToeUoC+iblAaJXTNP6ElMBVmYk66SaojlbYZXwJluVtGPUD77oeu p446neuiHUc= =RFIt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY32UL8kNZI30y1K9AQhvMQ//VSo1TqE2/bUXnNgSxkNKodCelCJGEDsw bCt1dUr+nesfvrjzLNayAC/VdiV+pJIvixQnSc3Xr+FTqPdBlYggNFJUjZnI8tpf mLqgOkvAEp0IHPVafwYOb+i1ZitgrNrhZLuSs/T1Z6vAotLpun2LuydV/bcNXj6f pZCPM8s0aZMknQ0r7uJVRxjod9GFABNGB8o8B76Dqz/KUcnIvlKgnZslDu3fQYKz bqVQT3qIMy0S9x+WDVybrOR+RNVimWcRIGjSaLNNXKd8Z57NsPTyVzHAEoNQhf/R GFTDFO6ILYLWXmZVdExjQjuUAfapgImdoH9tLUHCufkOlRb1Egy+mH6/GdETj3TX m72fmRTxrGOpG8FwZ2EkNjvMOMu+rNn77Z7/b9RcY3qnGzYz6FHT6do3MKWsSNCX aUX1cWg8q3qlK8PwKhs03lUFObX8yoKWR2Q/0tj1MW+b8/xvZ76qH2CpHbEbovhM xD2hF3BD5ptcv1upUekE08SMcCOQ2T1CRLFfmQ1HDU13AmenhNjIrdG2xkAIVQlx I22CK5L2tsV18Fxnp6wOC1DsbhcOhs31EAl8eyxmpU7uRfNpwLXnxtz3MBE/tkuH VrMrCcVk9TrFtAm5m5wvGSKomYyHGn9hKJzKDatZ3Fi135DuCRhmx4NvV0lSmDvF 7FJH5rBsv4c= =82Ok -----END PGP SIGNATURE-----