AusCERT - Security Bulletins

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5117 K28942395: OpenSSH vulnerability CVE-2018-15473 17 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Traffix SDC Publisher: F5 Networks Operating System: Network Appliance Resolution: None CVE Names: CVE-2018-15473 Original Bulletin: https://support.f5.com/csp/article/K28942395 Comment: CVSS (Max): 5.3 CVE-2018-15473 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSS Source: F5 Networks Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- K28942395: OpenSSH vulnerability CVE-2018-15473 Original Publication Date: 28 Sep, 2018 Latest Publication Date: 14 Oct, 2022 Security Advisory Description OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (CVE-2018-15473) Impact Traffix SDC An attacker may exploit this vulnerability to gain access to the affected system. BIG-IP, Enterprise Manager, BIG-IQ, F5OS-A, F5OS-C, and F5 iWorkflow There is no impact on these F5 products; they are not affected by this vulnerability. Security Advisory Status F5 Product Development has assigned CPF-24981 and CPF-24982 (Traffix SDC) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning. +-----------------+------+----------+----------+------------+------+----------+ | | |Versions |Fixes | |CVSSv3|Vulnerable| |Product |Branch|known to |introduced|Severity |score^|component | | | |be |in | |1 |or feature| | | |vulnerable| | | | | +-----------------+------+----------+----------+------------+------+----------+ | |17.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |16.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | |BIG-IP (LTM, AAM,|15.x |None |Not | | | | |AFM, Analytics, | | |applicable| | | | |APM, ASM, DNS, +------+----------+----------+ | | | |Edge Gateway, |14.x |None |Not |Not |None |None | |FPS, GTM, Link | | |applicable|vulnerable^2| | | |Controller, PEM, +------+----------+----------+ | | | |WebAccelerator) |13.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |12.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |11.x |None |Not | | | | | | | |applicable| | | | +-----------------+------+----------+----------+------------+------+----------+ |Enterprise |3.x |None |Not |Not |None |None | |Manager | | |applicable|vulnerable^2| | | +-----------------+------+----------+----------+------------+------+----------+ | |7.x |None |Not | | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |6.x |None |Not | | | | |BIG-IQ | | |applicable|Not | | | |Centralized +------+----------+----------+vulnerable^ |None |None | |Management |5.x |None |Not |2 | | | | | | |applicable| | | | | +------+----------+----------+ | | | | |4.x |None |Not | | | | | | | |applicable| | | | +-----------------+------+----------+----------+------------+------+----------+ |F5OS-A |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable^2| | | +-----------------+------+----------+----------+------------+------+----------+ |F5OS-C |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable^2| | | +-----------------+------+----------+----------+------------+------+----------+ |BIG-IQ Cloud and |1.x |None |Not |Not |None |None | |Orchestration | | |applicable|vulnerable^2| | | +-----------------+------+----------+----------+------------+------+----------+ |F5 iWorkflow |2.x |None |Not |Not |None |None | | | | |applicable|vulnerable^2| | | +-----------------+------+----------+----------+------------+------+----------+ | |5.x |5.0.0 - |None | | | | |Traffix SDC | |5.2.0 | |Medium |5.3 |OpenSSH | | +------+----------+----------+ | | | | |4.x |4.4.0 |None | | | | +-----------------+------+----------+----------+------------+------+----------+ ^1 The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. ^2 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. Mitigation None Supplemental Information o K51812227: Understanding Security Advisory versioning o K41942608: Overview of Security Advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY0y1yskNZI30y1K9AQgihxAAqZA8DtAiFvR6b6TcXYX+AlQWxbkkTSO5 CPJtjHQpPPjSoR9ZXcrKJVWn0xzRC6M6sUvqK2HRfAr8oYpGBU8rAqqJ9ebdT3jg TtJB2e7G9W8enbRSyBfI3tBrWJlSjXehN7mdNAi7+ML8WyUsTOPuKqhLz+/vEViq viANMw5yaKxN+wUhbkHYusXKUROPkSk5TN3Q9kSlGAKaMqzJY6wmrPqRpF0rW0JJ Lh3U9NcRI8/ep6K06bG9I2pDq4gOBtDCMUbxGkqJwWNKAj9Mi7whrv6DGdHaaGa+ LBElTTZf7coZLjgk9dfUM8AZ0R0eWp5hexQJ+D0qhbvCUTiq6Oqm7ZYpCYK9b8bZ Lc6/ce+VCHAc/XXB5EZ/Ch738g5uh0Pp9I6s5pZwKLDkkZNzOusLsEDHK2flDg18 7rAv1+MFKhozYYdvqFY5vc8iNcSdu7SaduJun5iVhagWGZwfnfBaaZBeHqkVOJw5 FQeO6NiCMQaoJn06WVtoU4Eu0GcB8uvlykev6FpywNWgf/3C9fiSCAFcu+fw6ySR SRQjXtG6lS1t+/LfHD7UU+kNW8HbHLj0hUohD0SekHYHK20/h580U4lByXiH9Kqq ViEaQSefl+DSMO/l1rQoOZ6czYvjB9GuutNuuk/QFqjMI3IUrM4xvWZinijXXFW4 eT1O1lPAlUI= =0/ao -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5116 python-django security update 17 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-41323 CVE-2022-36359 CVE-2022-34265 CVE-2022-28347 CVE-2022-28346 CVE-2022-23833 CVE-2022-22818 Original Bulletin: http://www.debian.org/security/2022/dsa-5254 Comment: CVSS (Max): 9.8* CVE-2022-34265 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD, [Red Hat] Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * Not all CVSS available when published - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5254-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 15, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : python-django CVE ID : CVE-2022-22818 CVE-2022-23833 CVE-2022-28346 CVE-2022-28347 CVE-2022-34265 CVE-2022-36359 CVE-2022-41323 Debian Bug : 1004752 1009677 1014541 Multiple security issues were found in Django, a Python web development framework, which could result in denial of service, SQL injection or cross-site scripting. For the stable distribution (bullseye), these problems have been fixed in version 2:2.2.28-1~deb11u1. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNK2BoACgkQEMKTtsN8 TjZ7Hw/+JYONqaFlHSM1zoAZ5Siogck70+ffsSF8NJ1fMyBExPnL7YMF+F9GwzFd S4FqDd3SnEN2pZlSK84cWp4MXvqwsUEkVcbylZeCQOsk2WoE0BtruxCN937GNcvV 37ixBSC0uekx2B1f8n0YX5mA1nbezZjUnqw8/PomVAf98a0U1er7WJVypgXvvrkT KMT+D6PB1H3ASPEcNtFcuANd3QN9PGcuRQQHXeonAOSCYVnsiDYj3UN5ts9x+Nap gC981Uh6jxd07hiCdpPIam3Gjqp2wKFde9UiH25KYoPuw9Z7VkYZiI6lBZS2v4ZH bvPBTPDjD7c3UUzHeY7F9IqAyY7UlPC+tKcqYyKIXnHm0xiPj6Z6aQRq3E/sM6eP MLpiuMNEIhoy4AO+5wsexERfgWe5oGdkaXFO+kO1z7eqyZbsFaMZiTBkMRW9M1wo SJ5l5Acl5MCwVhCzuiCJQG9znCCpgKwcqLwNlEWDQmK0n/suhIotMkDTeYP4nvoo EimlTT08Yap2O66MwXGQPRwhZPN76HarJB0n08XPNEpjmg+LgF1dZuPrJIVbGL8L aeK+eRW64IEikTR7B2mq/gKFGWWsq6fsk6TFRtnjJp4McfYsaRx8L40YzJwCPIec P7dDNk4Tt5D3Psa+jU4e0f1hCBN+Chsd1LFfP55e9GtC/BHRg1E= =kzuc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY0y1jMkNZI30y1K9AQhiTQ/8D2EOlGbFuv3xNxOUgwnVcwrL72gU4ej5 gLt2ljis00kgZw4g8QWqwcz6Hc6xbxYJR4K48hWZZOao0acWVvqrH7xhrjysxUJp CBKY+rMTIIMxQvvwhrYK4KD6JUFCDame/4W8KicLXPgbZ5ssKETMWiul77GBR220 4YTEx9LOXKOs0JRIE/557VjYw0X9Ro9k6YKLVLLYaN9T82VtP3NS1bJzcPI04Oe3 6POxpIZNRP8aJE4i1NYVwX06VJjocCLLLrPsuLdZHA8ZuUhNkPrFRfz62qaP0sZZ tBdj8dgu5SZS3qBBmNJjrjXiL1LNooLI5LZvNjne5I9FfW9K39P5MX8d0CJIRpcV jy+XsTS7qx7rbnjx8bvS0h3FQW45NggA2sci9akm0OEY4JfPQy3HbThj7w3DKprc B8XFM4Ft88W6PwvO4F7nuuMKnO7XtqAiQwt8Hv5A8uDksJOcQyhma+4u8/E7vKz4 8VmzqlxodSo2mRbVrCnt5/0+3pgUQmckp6ZhhNZTpoCS2A9X+8kOoSNYUkZLe1Da X1R3nI9tVb7a7+abpYnIlVIOijOJTeMH0nwF9+889pfsFb5TV2BbDOcdHiD+Xfx7 Yg1d2AoDBWI5jS+V/Vj87n1N5kqKc2Po6y3tPO25ojTg1BsNZKe9KKeFZg08G1Ku P6FhOZSHQ64= =NeMR -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5115 Red Hat build of Quarkus Platform 2.7.6.SP1 and security update 17 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat build of Quarkus Platform Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25857 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:6941 Comment: CVSS (Max): 7.5 CVE-2022-25857 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Quarkus Platform 2.7.6.SP1 and security update Advisory ID: RHSA-2022:6941-01 Product: Red Hat build of Quarkus Advisory URL: https://access.redhat.com/errata/RHSA-2022:6941 Issue date: 2022-10-13 CVE Names: CVE-2022-25857 ===================================================================== 1. Summary: An update is now available for the Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Quarkus 2.7.6.SP1 (Service Pack 1) includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Security Fix(es): * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections 5. References: https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/4966181 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.6.SP1 https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.7 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY0gnI9zjgjWX9erEAQgR0A/+NjSPoaHYJeEnfyeRnIf1M+zqnwljZ4rz mk6SZkqkFV4NWOlBIFQz5WhXvbs3DK0mx3FPlfisTybODHgYfrkV7D3IUq0rS4au M2owZPnwT0GLnMgeNAq+8yT1ZGZ/d54AW3UF30A1UePoKU9WbfMmVPHdITeu2Rl1 hA1bC+opn9eF0OvCPWFbC9XlqHX4Dy04HNg4OSCY8AkIcH4ULg72sEwuTnAq9jly HqF37FvxHr05OUoTlfxelxtye9fSjT2uyLHzn1uvnMbcPNX3l/YVNdcGu8Kq1hKp nUW2735YaghlCzJUu7wzSh3tRqm1Zbq7VzZi1NGzeeSabBlosaqe9rNq4cF+t0eV ORm5ORKpW8jflj4+DLhFUj6/D2TfcKxPylH5qLlVaLK2ly2wirwX3N9N15L6gRb2 NmhEBfvT30UOz+mjJyfkDGpGdO8uNSG094+HP9En8ekxIFzJs3khb7d1TeHOiGfu CcMvgCx/sCCxTfZXfD57XXA6A1wVzBPy7PKXuIs5HjEFrCIlkkuJ9rc6Tq93jy+c B++OTydsJg/3Q2Z9EnOBw/OPJbcAAzwLSNy3rznzc5nGuO5Pnr4Z7pJPH/D2xkH+ EIECFbqBvY0kdO2k9ILl2C4VUrJYHB9BmUxoMHaVYWY9vRzu9ZS+dqGH0cvnUhyP 58tlMzB+dBY= =gVq4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY0yygckNZI30y1K9AQj0dg/+N+eKGKQC5MKX0pt8Z6V3scNc6v1pFvVH 5KQJngZaqiajxHx6L1xhaUz8tcPNH8LwLD85H8egZkEXbbcsufZu6nnOQWYhVOL7 xPTvATn0DlaQb3EkHlxXQYx0kZH7Ed0nGx0WfAOZvC2EXc2PuGxYRuVvyIfmsFBn cI0E2cOuXEnoTcVBtTWA82aAp6/uOIfkJ0YSxh/b05w1+WMRVhVfeCQCwRWJ2lrO 5BbdegUG+YixpofENj8s/Oa3STYyL1YhvK0nHdm/yk2Sj5PCZ6sKb8UCdbXKs6cp fF2+5DITT4RnEiWidOzknwGMsJdRbOuCWYYfk78Wl2cAzKGnOjY1jwZKc/9Dm7BI 4vDYTAqm+jngKLVKSUCnBezlUu3YPCvozM8D/xq5UvHEJZIdAdwiwS7pAuSfLdMI /aGIwzB7iY/Fr2SuX4opFNCfP4W/AGl54iezBgK0XceY86JZ/ETtPKhKfeYtdefe Y0ResxYxPQOVuSQDDwxK6UaHqb/pyaxt2BUttqPioUzqRppOFxbY1OEGCtfBF0SF g9haY34swtKdZnRw1eq6pCf8JaxQJK/sxlVcTAiElaCEN+WMhfElq6eGuOyTv8H2 1m4XOGwrvPziAXEXOHX5WrtsPFMcmgXmbavr93/goDMjNuPTFCvMpMyZ9rgnLcsx fOmvTaZkNqY= =DgL5 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5114 Red Hat Advanced Cluster Management 2.5.3 security fixes and bug fixes 17 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cluster Management for Kubernetes Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-34903 CVE-2022-21166 CVE-2022-21125 CVE-2022-21123 CVE-2022-2238 CVE-2022-0391 CVE-2015-20107 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:6954 Comment: CVSS (Max): 7.1 CVE-2015-20107 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Advanced Cluster Management 2.5.3 security fixes and bug fixes Advisory ID: RHSA-2022:6954-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2022:6954 Issue date: 2022-10-13 CVE Names: CVE-2015-20107 CVE-2022-0391 CVE-2022-2238 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-34903 ===================================================================== 1. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.5.3 General Availability release images, which fix security issues and bugs, as well as update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat Advanced Cluster Management for Kubernetes 2.5.3 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single consoleâ\x{128}\x{148}with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix security issues and several bugs. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/release_notes/ Security fix: * search-api-container: search-api: SQL injection leads to remote denial of service (CVE-2022-2238) Bug fixes: * search-aggregator pod is continuously getting OOMkilled on the hub (BZ# 2092863) * ACM 2.5 cannot create known_hosts file when pulling from ssh git repo (BZ# 2105885) * Production RHACM upgrade from v2.4.2 to 2.5.1 (BZ# 2121063) * No errors shown for failed helm deployments (BZ# 2124636) * In topology, cluster deploy status is shown as not deployed however new project is created on the cluster (BZ# 2125441) 3. Solution: For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation, which will be updated shortly for this release, for important instructions about installing this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html-single/install/index#installing 4. Bugs fixed (https://bugzilla.redhat.com/): 2092863 - search-aggregator pod is continuously getting OOMkilled on the hub 2101669 - CVE-2022-2238 search-api: SQL injection leads to remote denial of service 2105885 - ACM 2.5 cannot create known_hosts file when pulling from ssh git repo 2121063 - Production RHACM upgrade from v2.4.2 to 2.5.1 2124636 - no errors shown for failed helm deployments 2125441 - In topology, cluster deploy status is shown as not deployed however new project is created on the cluster 5. References: https://access.redhat.com/security/cve/CVE-2015-20107 https://access.redhat.com/security/cve/CVE-2022-0391 https://access.redhat.com/security/cve/CVE-2022-2238 https://access.redhat.com/security/cve/CVE-2022-21123 https://access.redhat.com/security/cve/CVE-2022-21125 https://access.redhat.com/security/cve/CVE-2022-21166 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY0h7dtzjgjWX9erEAQj27g//ToLns2TgWThkVxfFX/MbwCmskyu4nChs VsaXJakIawA8wzc1tF8BHJZ3QB1geeM1K+QZZBetghoEHlqO0BB/tosPjdljgRBe VJf8v4RRdPwbp9cRnb5mSoZ7AOlRan64WHZrs5TLm0ruGF4UWgC3PL+eDuWfwEm7 zepKpsV+wAsL1sgxAEQzkL+ICs+9fLQsAJeGR+OwIPVBa7tJ5+OIaj+JzsCTV/Zs 1cvfKPqwV1IDGLm4SaEuUjLRDLlMv0LwoFwCsHrFyRpaEMLvm6o/iGRR6rUtAAQN pwWfwWtxnDCe6kIoUiPD5yK4AUNfPcJ3X+8naXRY1eht2sG/i3X7g5sx5j1WD1K8 MnIZdZGnBwLCqCWTg53vjVA6Hp2vIX0vvY5QkEnpmy8x2XsYkPFxl5k5tnfOXD2K GrJPixA2J7v8J/0liL39So4s5vwG8b22Y2X6zg/L1MoMoVO8shbs1TUy4d6mOxRW dYgIBaZrJ1Lld4TjYjIb5pUvo/XvKHAA4yf9gc0N149C45lOJ25ASTmmSNxYBKFu 3JWVrA3ODUAxi8fERU+Ldx086eG8MS2MF5r8lvRLy/x3GySr9coUq7xcQRJJ91sS J+njyeK3JimbZcVKrDiHrHIrx7uUGPF0QRMdEjTdzeRJW02tfM1Z0+5e95R+8ljw kj4vhpMcHXk= =r3dk - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY0yybMkNZI30y1K9AQjFdQ/8CZ2m2GiICSPrVnGCLHmH8pN8D9B4jyZM X98UH8XA/GefpVFSlq7mjAdWuNxyX6ngmfnlpeAlZmnAPsijdnF4ImUOz7U3L0c8 elkzuP12U6IzV1GJA2TRQ/uWbLT2r5udBkbeBClNFNO7Q5zTSiXDRx1XtHrav85A PTwrLkPOIe+hHY/GXWcEaz2etJPbWtYRnE1XZP+Uu/Dp60Ak7bpMg6UjVVhQhFdd V7H4u+dPS7dp1ojdCWpSi7OpBY5fE6b3PGj2Ri+vDuN7KsF8EIow7x5Xmi3JDiej /G43pOZmtjKFx20K+dZEwdz1oNXBAf1Ou3SvgKZAXLZUhGgX7suJ9o2+KGKgjpEk jIL7IxCoMHTarTQEr41E9z132mxsLh2CCXj7a5YvA8se2dqnNxr2i0CGXeL2BhqR jEHKeNd6bu7lhOQjiodYm8Bpw+fUmr1HyixHiJfG00aoajAyA27WivV6/34ge6Hh D4mXz7GdHAqhYQApEUobilp/huH2pNvBfyYtOsPPv9qSnpHp3lEfufcVDMdu02M+ 5pd6blWIOjTCeMzd4jEwgMCn3PHZVxAozWULIkG6RLDH3+ltTGavOggs3r6QfMFL kEOzp6zIkZG0qaTVyIV9G0CYvDyOusNH5gc6JDrMg+z7cG4pMfL+v7I+fVAvj5kN XWIFU25uLdM= =3APL -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5113 OpenShift Container Platform 4.8.51 packages and security update 17 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-30323 CVE-2022-30322 CVE-2022-30321 CVE-2022-26945 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:6801 Comment: CVSS (Max): 9.8 CVE-2022-26945 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.8.51 packages and security update Advisory ID: RHSA-2022:6801-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:6801 Issue date: 2022-10-13 CVE Names: CVE-2022-26945 CVE-2022-30321 CVE-2022-30322 CVE-2022-30323 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.8.51 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.51. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2022:6800 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html Security Fix(es): * go-getter: command injection vulnerability (CVE-2022-26945) * go-getter: unsafe download (issue 1 of 3) (CVE-2022-30321) * go-getter: unsafe download (issue 2 of 3) (CVE-2022-30322) * go-getter: unsafe download (issue 3 of 3) (CVE-2022-30323) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.51-x86_64 The image digest is sha256:ade848f9796f3938f8bd540ff5d94ef2791982b4f8c93929758efa0693c7a2db (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.51-s390x The image digest is sha256:acea62267cf0598be3a4fbf42f143d99afea181f6f27be5f892e4cfd88a110fc (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.51-ppc64le The image digest is sha256:5bbff649e25932816bdbc95e72e0b22e83c16c29f87809bea9d54b0b8886d363 All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2091495 - Unable to create br-ex as gateway is not found 2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3) 2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3) 2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3) 2092928 - CVE-2022-26945 go-getter: command injection vulnerability 5. JIRA issues fixed (https://issues.jboss.org/): OCPBUGS-1098 - Setting a telemeter proxy in the cluster-monitoring-config config map does not work as expected OCPBUGS-1230 - [4.8] etcd should not rollout new revision when etcd Cluster is unhealthy/degraded OCPBUGS-1314 - Users can't silence alerts from the dev console OCPBUGS-1455 - Detect unsupported amount of workloads before rendering a lazy or crashing topology OCPBUGS-1461 - Kubelet slowly leaking memory and pods eventually unable to start OCPBUGS-1519 - [OCP 4.8] Fix generate script in CBO OCPBUGS-895 - Machine Controller stuck with Terminated Instances while Provisioning on AWS 6. References: https://access.redhat.com/security/cve/CVE-2022-26945 https://access.redhat.com/security/cve/CVE-2022-30321 https://access.redhat.com/security/cve/CVE-2022-30322 https://access.redhat.com/security/cve/CVE-2022-30323 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY0fSuNzjgjWX9erEAQhuEQ//e3fEkmC8JexNdvijZRIl+wVa12AsaZMi tNyl45sFPMSZOrLz52HSD0jXV2SwuWxHUu0vDJo2ca3/wSCPYeI2BtaK12xjH6Dq I8L7gLXsEJ4T56Xw/5ugNlsXyq99qUEkyAsGm1k31U6pHyaVCxUTH1EcghEaHHB0 3MPdQChBBRnPVI7NF7AHllXWEUywFqmDxZecpN38E3OzFRFDGzcNJpxI6H/L9cux cKevRnMy1GruJ+X9GplAhN6X6C6EBuvJ3zAtZ9G4Qz6E+EusDfPhFFQ2EX7RNORC qcErXegpe6nI2tPK31CTOW4DC4+4tZQE/eWEqrDPREBS2zFcjjLfGvRYopUrq38y 6vV3oKsqiqElJFX46VQCQ1JjThBnlkJlQnKWZf6TNalNvvz3z6TziwWG2PpV63b+ M+6UsIaNWH/b9wsUp2hzY+faOpE8mrSM74vJSZGvyp9sgTkx0a1RGZZ7rr4ERXSH eYXdb+t2hdcsXyXNKIIRsSvbcHlydac3QmVC2DuS63XmVGQ1UNhwCgJZC29npSUd jt/vdFcrUEXnsGeVgbdnkQCraOB3m8f5YlLSWDDmlkc0/QYkZyk8eh5W/45W2+JM iZTynnyK/qRpi/tEh2jm/uLwkh/XsrW2X+caw/qSgcqVCeVu0xO4ReWUDdH9H6x5 7vvoQd8DqX0= =drhd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY0yyT8kNZI30y1K9AQgHZA/9El2bW2OC865ixoksivPImzZSSAgBvgHN 9JfFAT1IZNyWQrPSVU2OS8y4UUVygF+kZX5TT9PHbN20h3WsgORYrmwIl1TB2sv5 Ph79vOK2ydlq680LnIR7py5HbIV8GT4atPXpod3VJFLaZwqje1tZC/qZ7OtWaxD8 jdg6+0HPFlfQH6QbW2OHprC2Xlqd5m7DQ6y+mDKjERlHckJR1nZR06sqfat8VAce xPkBiNm0YsMC//ktVf6CHSVowauMDZkN3ELa+kOHk0BGFYKzwXUKw0dCBihNnF9s NAiEDNJCoQY1No0JBfHW+dFr0P4pnirS/3py/1Aq8hptjp0jvlzE+h13a1wv2Lop DeTrXKN07olmzVp0R5ps8BtfPRBVppIb46KOkhvEk5YJrZW/7aWqhkKmdwEu/Vpn +RmkCMa5OC0TH1kswSwpHmoIke0ENewyZ1h/DEIrYebaG7letchqII+UMV6hlY+W 5KnIfQBJySrfV4gqoKZOSmpHR2HRPCIEFc3sk2Y27KiMxMjlGMltHG0T1POB8gEU 1fDxM0RkQQEPaCJihBRePxwIrIyalmAr5VU01RlnE7FaOZnRjUfqTGrGkXqZPL/G E8K6keD9rvhzfljnewZmiGWPRmQwr9I7UTCxcg4Nrtfq4M13uTlVysn/fGVax4+b dRRkKgyXOeA= =oItw -----END PGP SIGNATURE-----