Issued:

2024-05-29

Updated:

2024-05-29

RHSA-2024:3479 - Important: Red Hat OpenStack Platform 16.2 director Operator container images security update

Synopsis

Important: Red Hat OpenStack Platform 16.2 director Operator container images security update

Type/Severity

Security Advisory Important

Topic

Updated container images are now available for director Operator for Red Hat OpenStack Platform 16.2 (Train) for RHEL 8.4.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenStack Platform provides the facilities for building, deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud running on commonly available physical hardware.

The Red Hat OpenStack Platform (RHOSP) director Operator adds the ability to install and run a RHOSP cloud within OpenShift Container Platform (OCP).

Security Fix(es):

• golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

• golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

• golang: x/crypto/ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

• goproxy: Denial of service (DoS) via unspecified vectors (CVE-2023-37788)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.

Solution

The container images provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io or registry.access.redhat.com using the 'podman pull' command.

For more information about the images, search the image name in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search

Affected Products

Fixes

• This content is not included.BZ - 2224245
• This content is not included.BZ - 2253330
• This content is not included.BZ - 2254210
• This content is not included.BZ - 2268273

CVEs

• CVE-2021-35937
• CVE-2021-35938
• CVE-2021-35939
• CVE-2021-43618
• CVE-2023-3446
• CVE-2023-3817
• CVE-2023-5678
• CVE-2023-7104
• CVE-2023-28322
• CVE-2023-37788
• CVE-2023-38546
• CVE-2023-39326
• CVE-2023-39615
• CVE-2023-45288
• CVE-2023-46218
• CVE-2023-48795
• CVE-2024-2961
• CVE-2024-28834

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.