SB2023112450 - Multiple vulnerabilities in Red Hat OpenShift Data Foundation 4.14

Description

This security bulletin contains information about 27 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2018-20677)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the affix configuration target property due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Improper Authorization (CVE-ID: CVE-2023-43040)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improper authorization in radogw API gateway in Ceph when processing POST requests. A remote unprivileged user can write to any bucket(s) accessible by a given key if a POST form-data contains a key called "bucket" with a value matching the bucket's name used to sign the request.

3) Cleartext transmission of sensitive information (CVE-ID: CVE-2023-40217)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in ssl.SSLSocket implementation when handling TLS client authentication. A remote attacker can trick the application to send data unencrypted.

4) External control of file name or path (CVE-ID: CVE-2023-38546)

The vulnerability allows an attacker to inject arbitrary cookies into request.

The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl.

5) Heap-based buffer overflow (CVE-ID: CVE-2023-38545)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30630)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions when executing the command with the "--dump-bin" option. A local user can overwrite arbitrary files on the system and escalate privileges.

7) Buffer overflow (CVE-ID: CVE-2023-4911)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of GLIBC_TUNABLES environment variable. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

8) Use-after-free (CVE-ID: CVE-2023-4813)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the gaih_inet() function when the getaddrinfo() function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

9) Use-after-free (CVE-ID: CVE-2023-4806)

The vulnerability allows an attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the getaddrinfo() function. A remote attacker can perform a denial of service (DoS) attack.

10) Out-of-bounds read (CVE-ID: CVE-2023-4527)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the getaddrinfo() function called with the AF_UNSPEC address family. A remote attacker with control over DNS server can send a DNS response via TCP larger than 2048 bytes, trigger an out-of-bounds read and crash the application or gain access to potentially sensitive information.

Successful exploitation of the vulnerability requires that system is configured with no-aaaa mode via /etc/resolv.conf.

11) Resource exhaustion (CVE-ID: CVE-2023-3341)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling control channel messages . A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

12) PHP file inclusion (CVE-ID: CVE-2023-2603)

The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files in web/ajax/modal.php. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

13) Memory leak (CVE-ID: CVE-2023-2602)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the error handling in the __wrap_pthread_create() function. A remote attacker can send a specially crafted request, exploit vulnerability to exhaust the process memory and cause a denial of service condition.

14) Cross-site scripting (CVE-ID: CVE-2018-20676)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the tooltip data-viewport attribute due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

15) Resource exhaustion (CVE-ID: CVE-2023-44487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".

Note, the vulnerability is being actively exploited in the wild.

16) Cross-site scripting (CVE-ID: CVE-2018-14041)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the data-target property of the scrollspy plugin due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

17) Improper Privilege Management (CVE-ID: CVE-2023-5077)

The vulnerability allows a remote user to bypass certain security restrictions.

The vulnerability exists in Google Cloud secrets engine due to incorrect preservation of existing Google Cloud IAM Conditions upon creating or updating rolesets. A remote user can gain unauthorized access to the application.

18) Resource exhaustion (CVE-ID: CVE-2023-39325)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive consumption of internal resources when handling HTTP/2 requests. A remote attacker can bypass the http2.Server.MaxConcurrentStreams setting by creating new connections while the current connections are still being processed, trigger resource exhaustion and perform a denial of service (DoS) attack.

19) Cross-site scripting (CVE-ID: CVE-2023-2121)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the key-value v2 (kv-v2) diff viewer. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

20) Resource exhaustion (CVE-ID: CVE-2023-37788)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

21) Cross-site scripting (CVE-ID: CVE-2023-29400)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing HTML attributes. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

22) Cross-site scripting (CVE-ID: CVE-2023-24539)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when handling angle brackets in CSS context. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

23) Resource exhaustion (CVE-ID: CVE-2023-24534)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.

24) Cross-site scripting (CVE-ID: CVE-2023-3978)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

25) Observable Response Discrepancy (CVE-ID: CVE-2023-3462)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the observable response discrepancy issue in the LDAP auth method. A remote user can enumerate valid accounts.

26) Resource exhaustion (CVE-ID: CVE-2022-41723)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the HPACK decoder. A remote attacker can send a specially crafted HTTP/2 stream to the application, cause resource exhaustion and perform a denial of service (DoS) attack.

27) Out-of-bounds read (CVE-ID: CVE-2021-4048)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack. A remote attacker can pass specially crafted data to the application, trigger an out-of-bounds read error and crash the affected application.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2023:6832