SB2020061740 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.3

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Resource management error (CVE-ID: CVE-2020-1750)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the mmap stressor in machine-config-operator-container. A remote authenticated user can pass specially crafted data to the application and perform a denial of service (DoS) attack.

2) Resource management error (CVE-ID: CVE-2020-8616)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the applicatoin. In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral.

3) Reachable Assertion (CVE-ID: CVE-2020-8617)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when checking validity of messages containing TSIG resource records within tsig.c. A remote attacker can send a specially crafted message and cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2020:2439