Main Vulnerability Database SB2022082418

SB2022082418 - OpenShift Container Platform 4.11 update for golang

Published: August 24, 2022

Security Bulletin ID SB2022082418

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of insufficiently random values (CVE-ID: CVE-2022-30629)

The vulnerability allows a remote attacker gain access to sensitive information.

The vulnerability exists in crypto/tls implementation when generating TLS tickets age. The newSessionTicketMsgTLS13.ageAdd is always set to "0" instead of a random value.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2022:6102

Vulnerable Software

Red Hat OpenShift Container Platform: 4.11.0
openshift-kuryr (Red Hat package): 4.11.0-202206232036.p0.g66c0cec.assembly.stream.el8
openshift-clients (Red Hat package): 4.11.0-202207291716.p0.g7075089.assembly.stream.el8
openshift-ansible (Red Hat package): 4.11.0-202206240216.p0.g9de1722.assembly.stream.el8
openshift (Red Hat package): 4.11.0-202207082037.p0.g9546431.assembly.stream.el8
ignition (Red Hat package): 2.14.0-3.rhaos4.11.el8
cri-o (Red Hat package): 1.24.1-11.rhaos4.11.gitb0d2ef3.el8
console-login-helper-messages (Red Hat package): 0.20.3-1.rhaos4.6.el8 - 0.20.3-2.rhaos4.11.el8
butane (Red Hat package): 0.15.0-1.rhaos4.11.el8
python-kubernetes (Red Hat package): before 24.2.0-1.el8
NetworkManager (Red Hat package): before 1.36.0-8.el8_6