The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5009 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.14.0. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2023:5006

    Security Fix(es):

    * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)     (CVE-2023-39325)

    * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)     (CVE-2023-44487)

    * openshift: OCP & FIPS mode (CVE-2023-3089)

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * ovn: service monitor MAC flow is not rate limited (CVE-2023-3153)

    * golang.org/x/net/html: Cross site scripting (CVE-2023-3978)

    * scipy: use-after-free in Py_FindObjects() function (CVE-2023-29824)

    * goproxy: Denial of service (DoS) via unspecified vectors. (CVE-2023-37788)

    * golang: html/template:  improper handling of HTML-like comments within script contexts (CVE-2023-39318)

    * golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

    * golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

    * golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6840 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.14.2. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2023:6837

    Security Fix(es):

    * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS     attack (Rapid Reset Attack) (CVE-2023-44487 CVE-2023-39325)
    * golang: net/http: insufficient sanitization of Host header     (CVE-2023-29406)
    * golang: crypto/tls: slow verification of certificate chains containing     large RSA keys (CVE-2023-29409)
    * golang: html/template:  improper handling of HTML-like comments within     script contexts (CVE-2023-39318)
    * golang: html/template: improper handling of special tags within script     contexts (CVE-2023-39319)
    * golang: crypto/tls: panic when processing post-handshake message on QUIC     connections (CVE-2023-39321)
    * golang: crypto/tls: lack of a limit on buffered post-handshake     (CVE-2023-39322)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6059 advisory.

    Red Hat OpenShift Pipelines Client, tkn for the 1.12.1 release, provides a CLI  tool to interact with the     Pipelines and Triggers components provided by Red Hat OpenShift Pipelines 1.12.1

    The tkn CLI tool is delivered as an RPM package for installation on RHEL platforms, and as binaries for     non-Linux platforms.

    Security Fix(es):

    * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack)     (CVE-2023-39325)

    * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)     (CVE-2023-44487)

    A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the     References section.

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7521 advisory.

    OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container     Platform.

    This advisory contains OpenShift Virtualization 4.13.6 RPMs.

    Security Fix(es):

    * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)     (CVE-2023-39325)

    * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)     (CVE-2023-44487)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * 4.13.6 rpms (BZ#2251683)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the nginx package has been released.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3342-1 advisory.

    - CVE-2023-39325: go1.20: excessive resource consumption when dealing with rapid stream resets.
    (bsc#1229869)
    - CVE-2023-44487: google.golang.org/grpc, kube-apiserver: HTTP/2 rapid reset vulnerability. (bsc#1229869)
    - CVE-2023-45288: golang.org/x/net: excessive CPU consumption when processing unlimited sets of headers.
    (bsc#1229869)
    - CVE-2024-24786: github.com/golang/protobuf: infinite loop when unmarshaling invalid JSON. (bsc#1229867)

    Bug fixes:

    - Update go to version 1.22.5 in build requirements. (bsc#1229858)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

ID	Name	Product	Family	Published	Updated	Severity
194294	RHEL 8 / 9 : OpenShift Container Platform 4.14.0 (RHSA-2023:5009)	Nessus	Red Hat Local Security Checks	4/28/2024	8/15/2025	medium
194364	RHEL 8 / 9 : OpenShift Container Platform 4.14.2 (RHSA-2023:6840)	Nessus	Red Hat Local Security Checks	4/28/2024	11/7/2024	critical
194389	RHEL 8 : Red Hat OpenShift Pipelines Client tkn for 1.12.1 (RHSA-2023:6059)	Nessus	Red Hat Local Security Checks	4/28/2024	11/7/2024	critical
194402	RHEL 7 / 8 / 9 : OpenShift Virtualization 4.13.6 RPMs (RHSA-2023:7521)	Nessus	Red Hat Local Security Checks	4/28/2024	11/7/2024	critical
204092	Photon OS 3.0: Nginx PHSA-2023-3.0-0672	Nessus	PhotonOS Local Security Checks	7/24/2024	7/24/2024	high
207493	SUSE SLES15 / openSUSE 15 Security Update : kubernetes1.24 (SUSE-SU-2024:3342-1)	Nessus	SuSE Local Security Checks	9/20/2024	9/20/2024	critical
502811	Cisco Products Uncontrolled Resource Consumption (CVE-2023-44487)	Tenable OT Security	Tenable.ot	1/6/2025	1/6/2025	high

Detections

Analytics

Plugins Search

medium

critical

critical

critical

high

critical

high