RHEL 8 / 9 : OpenShift Container Platform 4.13.0 (RHSA-2023:1325)

critical Nessus Plugin ID 194235

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for OpenShift Container Platform 4.13.0.

Description

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1325 advisory.

- buildah: possible information disclosure and modification (CVE-2022-2990)

- OpenShift: Missing HTTP Strict Transport Security (CVE-2022-3259)

- golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

- golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

- golang: path/filepath: path-filepath filepath.Clean path traversal (CVE-2022-41722)

- net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

- golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

- golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

- haproxy: segfault DoS (CVE-2023-0056)

- openshift/apiserver-library-go: Bypass of SCC seccomp profile restrictions (CVE-2023-0229)

- podman: symlink exchange attack in podman export volume (CVE-2023-0778)

- python-werkzeug: high resource usage when parsing multipart form data with many fields (CVE-2023-25577)

- haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL OpenShift Container Platform 4.13.0 package based on the guidance in RHSA-2023:1325.

Plugin Details

Severity: Critical

ID: 194235

File Name: redhat-RHSA-2023-1325.nasl

Version: 1.0

Type: local

Agent: unix

Family: Red Hat Local Security Checks

Published: 4/28/2024

Updated: 4/28/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2022-27191

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2023-25725

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:buildah, p-cpe:/a:redhat:enterprise_linux:buildah-tests, p-cpe:/a:redhat:enterprise_linux:cri-o, p-cpe:/a:redhat:enterprise_linux:haproxy, p-cpe:/a:redhat:enterprise_linux:haproxy22, p-cpe:/a:redhat:enterprise_linux:openshift, p-cpe:/a:redhat:enterprise_linux:openshift-clients, p-cpe:/a:redhat:enterprise_linux:openshift-clients-redistributable, p-cpe:/a:redhat:enterprise_linux:openshift-hyperkube, p-cpe:/a:redhat:enterprise_linux:podman, p-cpe:/a:redhat:enterprise_linux:podman-catatonit, p-cpe:/a:redhat:enterprise_linux:podman-docker, p-cpe:/a:redhat:enterprise_linux:podman-gvproxy, p-cpe:/a:redhat:enterprise_linux:podman-plugins, p-cpe:/a:redhat:enterprise_linux:podman-remote, p-cpe:/a:redhat:enterprise_linux:podman-tests, p-cpe:/a:redhat:enterprise_linux:python-werkzeug, p-cpe:/a:redhat:enterprise_linux:python3-werkzeug, p-cpe:/a:redhat:enterprise_linux:skopeo, p-cpe:/a:redhat:enterprise_linux:skopeo-tests

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/18/2023

Vulnerability Publication Date: 3/18/2022

Reference Information

CVE: CVE-2022-27191, CVE-2022-2990, CVE-2022-3259, CVE-2022-41717, CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-0056, CVE-2023-0229, CVE-2023-0778, CVE-2023-25577, CVE-2023-25725

CWE: 20, 22, 327, 367, 400, 444, 665, 770, 842

RHSA: 2023:1325

Detections

Analytics