Main Vulnerability Database SB2024101406

SB2024101406 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17 packages

Published: October 14, 2024

Security Bulletin ID SB2024101406

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-6104)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data obtain from HTTP requests.

2) Input validation error (CVE-ID: CVE-2024-24789)

The vulnerability allows a remote attacker to manipulate data.

The vulnerability exists due to insufficient validation of user-supplied input in archive/zip when handling zip archives. A remote attacker can create a zip file with content that will vary depending on the implementation reading the file.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2024:3722

Vulnerable Software

slirp4netns (Red Hat package): before 1.1.8-3.rhaos4.17.el8
openshift4-aws-iso (Red Hat package): before 4.17.0-202404161335.p0.gd2acdd5.assembly.stream.el8
libslirp (Red Hat package): before 4.4.0-5.rhaos4.17.el8
fuse-overlayfs (Red Hat package): before 1.10-3.rhaos4.17.el8
containernetworking-plugins (Red Hat package): before 1.4.0-3.rhaos4.17.el8
toolbox (Red Hat package): before 0.1.0-3.rhaos4.17.el8
skopeo (Red Hat package): before 1.16.0-2.rhaos4.17.el8
runc (Red Hat package): before 1.1.13-2.rhaos4.17.el8
podman (Red Hat package): before 5.2.0-2.rhaos4.17.el9
ovn24.09 (Red Hat package): before 24.09.0 beta.26.el9fdp
ovn24.03 (Red Hat package): before 24.03.1-36.el9fdp
ose-gcp-gcr-image-credential-provider (Red Hat package): before 4.17.0-202408061615.p0.g8ce997d.assembly.stream.el8
ose-azure-acr-image-credential-provider (Red Hat package): before 4.17.0-202406261807.p0.gb9204e2.assembly.stream.el8
ose-aws-ecr-image-credential-provider (Red Hat package): before 4.17.0-202406261807.p0.g8c77f41.assembly.stream.el8
openshift-clients (Red Hat package): before 4.17.0-202409111134.p0.gbc58b3a.assembly.stream.el8
openshift-ansible (Red Hat package): before 4.17.0-202409041737.p0.g7fe7411.assembly.stream.el8
openshift (Red Hat package): before 4.17.0-202409121706.p0.gd3adea4.assembly.stream.el8
haproxy (Red Hat package): before 2.8.10-1.rhaos4.17.el9
golang-github-prometheus-promu (Red Hat package): before 0.16.0-17.gitf6c51c9.el9
crun (Red Hat package): before 1.14.3-2.rhaos4.17.el8
cri-tools (Red Hat package): before 1.30.0-4.el8
cri-o (Red Hat package): before 1.30.5-7.rhaos4.17.git2e89940.el8
containers-common (Red Hat package): before 1-86.rhaos4.17.el8
container-selinux (Red Hat package): before 2.231.0-3.rhaos4.17.el8
conmon-rs (Red Hat package): before 0.6.3-1.rhaos4.17.el8
conmon (Red Hat package): before 2.1.12-4.rhaos4.17.el8
buildah (Red Hat package): before 1.33.7-2.rhaos4.17.el8
Red Hat OpenShift Container Platform: before 4.17.0