SB2024070925 - Multiple vulnerabilities in Red Hat OpenStack 17.1 packages

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024070925

SB2024070925 - Multiple vulnerabilities in Red Hat OpenStack 17.1 packages

Published: July 9, 2024

Security Bulletin ID SB2024070925
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Memory leak (CVE-ID: CVE-2024-1394)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the RSA encrypting/decrypting code when handling untrusted input. A remote attacker can pass specially crafted data to the application and perform denial of service attack.


2) Resource exhaustion (CVE-ID: CVE-2023-39326)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP chunked requests. A remote attacker can send specially crafted HTTP requests to the server and consume excessive memory resources.


3) Observable discrepancy (CVE-ID: CVE-2023-45287)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a timing discrepancy when handling RSA based TLS key exchanges. A remote attacker can perform a Marvin attack and gain access to sensitive information.


4) Resource exhaustion (CVE-ID: CVE-2023-45288)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single HTTP/2 stream. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

5) Dependency on vulnerable third-party component (CVE-ID: CVE-2024-4438)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the etcd package from Red hat uses a vulnerable version of Go /x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions. A remote attacker cab perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References