SB2024011863 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2023-45142)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect processing of HTTP header User-Agent and HTTP method. A remote attacker can send multiple requests with long randomly generated HTTP methods or/and User agents and consume memory resources, leading to a denial of service condition.

2) Resource exhaustion (CVE-ID: CVE-2023-47108)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to grpc Unary Server Interceptor does not properly control consumption of internal resources when processing multiple requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Covert timing channel (CVE-ID: CVE-2023-5388)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to insufficient fix for #VU84108 (CVE-2023-4421). A remote attacker can perform Marvin attack and gain access to sensitive information.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-6476)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to unchecked access to an experimental annotation. A remote user can use the cgroupv2 and perform a denial of service (DoS) attack by consuming all available memory resources.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2024:0204