Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.6881
Red Hat OpenShift GitOps v1.9.3 security update
21 November 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift GitOps v1.9.3
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-44487 CVE-2023-39325
Original Bulletin:
https://access.redhat.com/errata/RHSA-2023:7345
Comment: CVSS (Max): 7.5 CVE-2023-44487 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The following are listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog:
CISA KEV CVE(s): CVE-2023-44487
CISA KEV URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- --------------------------BEGIN INCLUDED TEXT--------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift GitOps v1.9.3
security update
Advisory ID: RHSA-2023:7345
Product: Red Hat OpenShift GitOps 1.9
Advisory URL: https://access.redhat.com/errata/RHSA-2023:7345
Issue date: 2023-11-20
CVE Names: CVE-2023-39325 CVE-2023-44487
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift GitOps 1.9.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift GitOps 1.9 - amd64, s390x, ppc64le, arm64
3. Description:
An update is now available for Red Hat OpenShift GitOps 1.9.
Security Fix(es):
* golang: net/http, x/net/http2: rapid stream resets can cause excessive work
(Rapid Reset Attack) (CVE-2023-39325)
* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack
(Rapid Reset Attack) (CVE-2023-44487)
A Red Hat Security Bulletin which addresses further details about the Rapid
Reset flaw is available in the References section.
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
4. Solution:
Before applying this update, make sure all previously released errata relevant
to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2243296 - CVE-2023-39325 - golang: net/http, x/net/http2: rapid stream resets
can cause excessive work (CVE-2023-44487)
2242803 - CVE-2023-44487 - HTTP/2: Multiple HTTP/2 enabled web servers are
vulnerable to a DDoS attack (Rapid Reset Attack)
6. Package List:
Red Hat OpenShift GitOps 1.9
9:openshift-gitops-1/argo-rollouts-rhel8@sha256:08c50b13b7fd04f3756250ce727f75f9
d8da1bf0dbb27fd2f1206850d9e7d0fc_amd64:
openshift-gitops-1/argo-rollouts-rhel8@sha256:08c50b13b7fd04f3756250ce727f75f9d8
da1bf0dbb27fd2f1206850d9e7d0fc_amd64.rpm
9:openshift-gitops-1/argo-rollouts-rhel8@sha256:5dda4516e7dd63cc711cd18e0569cdac
873c2a3ae3bf41fd7645384e1aea0952_arm64:
openshift-gitops-1/argo-rollouts-rhel8@sha256:5dda4516e7dd63cc711cd18e0569cdac87
3c2a3ae3bf41fd7645384e1aea0952_arm64.rpm
9:openshift-gitops-1/argo-rollouts-rhel8@sha256:9afedd1e7109a88fbe381846a6a0a206
b24ba3e62dd699aa750d4b7f28505080_ppc64le:
openshift-gitops-1/argo-rollouts-rhel8@sha256:9afedd1e7109a88fbe381846a6a0a206b2
4ba3e62dd699aa750d4b7f28505080_ppc64le.rpm
9:openshift-gitops-1/argo-rollouts-rhel8@sha256:b830502f20de70c8fc7f77a6c58409c0
0f6db79224f306f5f667fadfca59bd84_s390x:
openshift-gitops-1/argo-rollouts-rhel8@sha256:b830502f20de70c8fc7f77a6c58409c00f
6db79224f306f5f667fadfca59bd84_s390x.rpm
9:openshift-gitops-1/argocd-rhel8@sha256:bd8aa96326b5c5e649634489941e19bc17cbe04
bfeb00d1b362d7afe98277594_arm64:
openshift-gitops-1/argocd-rhel8@sha256:bd8aa96326b5c5e649634489941e19bc17cbe04bf
eb00d1b362d7afe98277594_arm64.rpm
9:openshift-gitops-1/argocd-rhel8@sha256:dd7e218067771217c00df8b4ed7b94faaa70f31
596d8a8da796a1115f694fbfc_ppc64le:
openshift-gitops-1/argocd-rhel8@sha256:dd7e218067771217c00df8b4ed7b94faaa70f3159
6d8a8da796a1115f694fbfc_ppc64le.rpm
9:openshift-gitops-1/argocd-rhel8@sha256:e432172e252f278ffe9d1e8bcf6c89c81cbef76
e3755eb7b9f3d5ec4622a63e0_s390x:
openshift-gitops-1/argocd-rhel8@sha256:e432172e252f278ffe9d1e8bcf6c89c81cbef76e3
755eb7b9f3d5ec4622a63e0_s390x.rpm
9:openshift-gitops-1/argocd-rhel8@sha256:fbd5576fa614602b26677e91136d0c9c4722e0e
b09672e3784ebdfe71737d3bd_amd64:
openshift-gitops-1/argocd-rhel8@sha256:fbd5576fa614602b26677e91136d0c9c4722e0eb0
9672e3784ebdfe71737d3bd_amd64.rpm
9:openshift-gitops-1/dex-rhel8@sha256:14b1e455f6ba59777aec0298b64a21cf40d89429dc
bc3dd59ad2f30c649d6f5f_ppc64le:
openshift-gitops-1/dex-rhel8@sha256:14b1e455f6ba59777aec0298b64a21cf40d89429dcbc
3dd59ad2f30c649d6f5f_ppc64le.rpm
9:openshift-gitops-1/dex-rhel8@sha256:2c5390ab43937ee0f089f56bd64752aa7d477d713d
2eabf17fa7a48b3244e573_amd64:
openshift-gitops-1/dex-rhel8@sha256:2c5390ab43937ee0f089f56bd64752aa7d477d713d2e
abf17fa7a48b3244e573_amd64.rpm
9:openshift-gitops-1/dex-rhel8@sha256:ae805dd6858d45e042b335240e450c5f5635546381
f2cf755b4d0049f80e4bbd_s390x:
openshift-gitops-1/dex-rhel8@sha256:ae805dd6858d45e042b335240e450c5f5635546381f2
cf755b4d0049f80e4bbd_s390x.rpm
9:openshift-gitops-1/dex-rhel8@sha256:f58dc92bdffd95385a51ecdff7677b49cc85b0a771
8ca5f69301e6711a9bf04c_arm64:
openshift-gitops-1/dex-rhel8@sha256:f58dc92bdffd95385a51ecdff7677b49cc85b0a7718c
a5f69301e6711a9bf04c_arm64.rpm
9:openshift-gitops-1/gitops-rhel8-operator@sha256:02bc04eaa379108c8cf99da5d89a4e
8305ccb3c3921037c9b160d639c5c4de03_s390x:
openshift-gitops-1/gitops-rhel8-operator@sha256:02bc04eaa379108c8cf99da5d89a4e83
05ccb3c3921037c9b160d639c5c4de03_s390x.rpm
9:openshift-gitops-1/gitops-rhel8-operator@sha256:32da9518faee368da0902ba87c1ed9
5a03e75ea344a31c9af19a96a436a6ddf3_arm64:
openshift-gitops-1/gitops-rhel8-operator@sha256:32da9518faee368da0902ba87c1ed95a
03e75ea344a31c9af19a96a436a6ddf3_arm64.rpm
9:openshift-gitops-1/gitops-rhel8-operator@sha256:79f9227088dee48a79afd14732087c
23ea0c6869c0dd167dac94365b225592ec_ppc64le:
openshift-gitops-1/gitops-rhel8-operator@sha256:79f9227088dee48a79afd14732087c23
ea0c6869c0dd167dac94365b225592ec_ppc64le.rpm
9:openshift-gitops-1/gitops-rhel8-operator@sha256:d491c7c8525393b4dc8277fae5639e
e41ae4d6bbada83a212742e9683877f0b0_amd64:
openshift-gitops-1/gitops-rhel8-operator@sha256:d491c7c8525393b4dc8277fae5639ee4
1ae4d6bbada83a212742e9683877f0b0_amd64.rpm
9:openshift-gitops-1/gitops-rhel8@sha256:1e4441c4b21af05b97b4f4d5fdae767721ecc64
5a43f63611d18d3de87498805_arm64:
openshift-gitops-1/gitops-rhel8@sha256:1e4441c4b21af05b97b4f4d5fdae767721ecc645a
43f63611d18d3de87498805_arm64.rpm
9:openshift-gitops-1/gitops-rhel8@sha256:21f03d5337d4177a908f63ce3558bc130a045fc
45c6f6a4d2783de4e4b555e21_ppc64le:
openshift-gitops-1/gitops-rhel8@sha256:21f03d5337d4177a908f63ce3558bc130a045fc45
c6f6a4d2783de4e4b555e21_ppc64le.rpm
9:openshift-gitops-1/gitops-rhel8@sha256:585361fa372d675855cb517e0305339f9856fec
c7b1f89b31ad33bca3f9836b8_s390x:
openshift-gitops-1/gitops-rhel8@sha256:585361fa372d675855cb517e0305339f9856fecc7
b1f89b31ad33bca3f9836b8_s390x.rpm
9:openshift-gitops-1/gitops-rhel8@sha256:97acdfe9b2fba3a37f01e91efb4074eadcec204
414ae7f2c0a426b71af60288c_amd64:
openshift-gitops-1/gitops-rhel8@sha256:97acdfe9b2fba3a37f01e91efb4074eadcec20441
4ae7f2c0a426b71af60288c_amd64.rpm
9:openshift-gitops-1/kam-delivery-rhel8@sha256:1c546c5cdafd6ca78c3f5cb51d76bdc1c
139fdbeee3eae0799a2550920cd31a1_amd64:
openshift-gitops-1/kam-delivery-rhel8@sha256:1c546c5cdafd6ca78c3f5cb51d76bdc1c13
9fdbeee3eae0799a2550920cd31a1_amd64.rpm
9:openshift-gitops-1/kam-delivery-rhel8@sha256:6bdef15c447107069382c76cbf89faccb
c116ec62c9be9231b0a8edc0e63c0a5_ppc64le:
openshift-gitops-1/kam-delivery-rhel8@sha256:6bdef15c447107069382c76cbf89faccbc1
16ec62c9be9231b0a8edc0e63c0a5_ppc64le.rpm
9:openshift-gitops-1/kam-delivery-rhel8@sha256:9903bb78e5d0cc39d314e9bdaecf902ac
4d24bee3f11b7658caaa381253c81c1_arm64:
openshift-gitops-1/kam-delivery-rhel8@sha256:9903bb78e5d0cc39d314e9bdaecf902ac4d
24bee3f11b7658caaa381253c81c1_arm64.rpm
9:openshift-gitops-1/kam-delivery-rhel8@sha256:b6864990dd11208362570ff7642baf33d
96690a9547ddb71403f5deb5578a761_s390x:
openshift-gitops-1/kam-delivery-rhel8@sha256:b6864990dd11208362570ff7642baf33d96
690a9547ddb71403f5deb5578a761_s390x.rpm
9:openshift-gitops-1/console-plugin-rhel8@sha256:21bff8ab1b76db1507a96432d49df4e
537ed66d1fed1c96434bde10bfdd62059_ppc64le:
openshift-gitops-1/console-plugin-rhel8@sha256:21bff8ab1b76db1507a96432d49df4e53
7ed66d1fed1c96434bde10bfdd62059_ppc64le.rpm
9:openshift-gitops-1/console-plugin-rhel8@sha256:7c05fd1be9aa7427e565544975f7f85
d4600c7eabfd22ff4f07e057e566496eb_arm64:
openshift-gitops-1/console-plugin-rhel8@sha256:7c05fd1be9aa7427e565544975f7f85d4
600c7eabfd22ff4f07e057e566496eb_arm64.rpm
9:openshift-gitops-1/console-plugin-rhel8@sha256:84dee8a0455dca910bab7407bb8bc31
51f788ae991aa9c7d9380e8c7c1a4014c_s390x:
openshift-gitops-1/console-plugin-rhel8@sha256:84dee8a0455dca910bab7407bb8bc3151
f788ae991aa9c7d9380e8c7c1a4014c_s390x.rpm
9:openshift-gitops-1/console-plugin-rhel8@sha256:eb9abd40236e7752cd8b5d215ff8619
d73e1fd5ff6abd0884409dcd442fb4eaf_amd64:
openshift-gitops-1/console-plugin-rhel8@sha256:eb9abd40236e7752cd8b5d215ff8619d7
3e1fd5ff6abd0884409dcd442fb4eaf_amd64.rpm
9:openshift-gitops-1/gitops-operator-bundle@sha256:d8725149c57d5de6c5c10d472cfd5
4721e8f8bf12e66e34c0311103a835a3081_amd64:
openshift-gitops-1/gitops-operator-bundle@sha256:d8725149c57d5de6c5c10d472cfd547
21e8f8bf12e66e34c0311103a835a3081_amd64.rpm
9:openshift-gitops-1/must-gather-rhel8@sha256:399cd150882466cd9e301ea92e899b8029
80825082c7a5d0a780a81903af0fce_s390x:
openshift-gitops-1/must-gather-rhel8@sha256:399cd150882466cd9e301ea92e899b802980
825082c7a5d0a780a81903af0fce_s390x.rpm
9:openshift-gitops-1/must-gather-rhel8@sha256:3eb502b1ef4886e5300c5cac0252f9000f
1c71bb6c5f1a93758d01d36654be7e_arm64:
openshift-gitops-1/must-gather-rhel8@sha256:3eb502b1ef4886e5300c5cac0252f9000f1c
71bb6c5f1a93758d01d36654be7e_arm64.rpm
9:openshift-gitops-1/must-gather-rhel8@sha256:847b14b3fae4d48b588174564b5a17177c
141a8d4155442c146f4828642b86cc_ppc64le:
openshift-gitops-1/must-gather-rhel8@sha256:847b14b3fae4d48b588174564b5a17177c14
1a8d4155442c146f4828642b86cc_ppc64le.rpm
9:openshift-gitops-1/must-gather-rhel8@sha256:b8ff5a1de115b5760c281f59a32831a3a6
b949d65a15689d591da6849b297ee9_amd64:
openshift-gitops-1/must-gather-rhel8@sha256:b8ff5a1de115b5760c281f59a32831a3a6b9
49d65a15689d591da6849b297ee9_amd64.rpm
7. References:
https://access.redhat.com/security/cve/CVE-2023-39325
https://access.redhat.com/security/cve/CVE-2023-44487
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003
https://docs.openshift.com/gitops/1.9/understanding_openshift_gitops/about-redhat-openshift-gitops.html
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZVwKrMkNZI30y1K9AQj4AQ/+Kq7DKVqGJXMfLj0lXe0ASfhLzUymuE/C
xs8IoKacRB8G0c7XPiEgaxn4tOCpxqhuuJd7mUvoH2hBxoBPAFAlj7gspKY/q5QC
/SSQ/3LLuHbU7fmDyWmMp0Ht8VG0fuufhcGRMFuk59UnCcsn8/w6xM+q3PyHFrWo
JoKXhTROOqk/NQfLf/at8Beuv30Nhh1SXUpbDACVyAcRSpE6Zc8VpVpoBc0Zt6Pg
HeKiLRLzvvzMSxHL6e1UQbsQ0SWCxSh1wq+jJWZWz2oVbidc1F+GsPjj+9DUS+xd
WYKREEvipN9Ab+TFju7JhEXkEf9HUWHpy5fJoEpLlMy42kLwHadB5LO1xUiHjMsj
kbJ2Guo1JPnF9NNGGDdZ4fQ1Adav0/pql0i2B5l2Kgmz/3WKHqPMQi86LqS/TGUM
vRQ4YFF4N28XXsdAizu4R9ZYgXeRPww+rW2MiqwBgn5uY4AqJ9lcFx36CI4GUaGn
GDFkZmQ083+l1npYPKiPZeiH3+df1btZnAEcou/CeLb04skzWDguMAoQxLMGwka+
mzFtPsXRsTmxAy4nHs0XhzdUHDqEs162cfr4gQ//+pBjUh7F1RQ304irYKfX5pbk
o/5zQzcLKfm1nG8hmlz4JxKnnGnYCuVKDrRBN1dkwasJjtKl7kbTpUcwz0uAT5Vj
9ssUhAtIyt0=
=zXak
-----END PGP SIGNATURE-----