- Issued:
- 2024-10-22
- Updated:
- 2024-10-22
RHSA-2024:8014 - Important: Network Observability 1.7.0 for OpenShift
Synopsis
Important: Network Observability 1.7.0 for OpenShift
Type/Severity
Security Advisory Important
Topic
Network Observability 1.7 for Red Hat OpenShift
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Network Observability 1.7.0
Security Fix(es):
- Network Observability: Code Execution Vulnerability in Send Library (CVE-2024-43799)
- Network Observability: XSS vulnerability via prototype pollution (CVE-2024-45801)
- Network Observability: axios: Server-Side Request Forgery (CVE-2024-39338)
- Network Observability: Denial of Service Vulnerability in body-parser (CVE-2024-45590)
- Network Observability: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule (CVE-2024-43788)
- Network Observability: Backtracking regular expressions cause ReDoS (CVE-2024-45296)
- Network Observability: Improper Input Handling in Express Redirects (CVE-2024-43796)
- Network Observability: Improper Sanitization in serve-static (CVE-2024-43800)
- Network Observability: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)
- Network Observability: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)
- Network Observability: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)
Solution
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Network Observability (NETOBSERV) | 1 | x86_64 |
| Network Observability (NETOBSERV) for IBM Z and LinuxONE | 1 | s390x |
| Network Observability (NETOBSERV) for IBM Power, little endian | 1 | ppc64le |
| Network Observability (NETOBSERV) for ARM 64 | 1 | aarch64 |
Fixes
- This content is not included.BZ - 2308193
- This content is not included.BZ - 2310527
- This content is not included.BZ - 2310528
- This content is not included.BZ - 2310529
- This content is not included.BZ - 2310908
- This content is not included.BZ - 2311152
- This content is not included.BZ - 2311153
- This content is not included.BZ - 2311154
- This content is not included.BZ - 2311171
- This content is not included.BZ - 2312631
- This content is not included.NETOBSERV-1884
- This content is not included.NETOBSERV-1509
- This content is not included.NETOBSERV-163
- This content is not included.NETOBSERV-1666
- This content is not included.NETOBSERV-1667
- This content is not included.NETOBSERV-1753
- This content is not included.NETOBSERV-1377
- This content is not included.NETOBSERV-1538
- This content is not included.NETOBSERV-1540
- This content is not included.NETOBSERV-1564
- This content is not included.NETOBSERV-1746
- This content is not included.NETOBSERV-1748
- This content is not included.NETOBSERV-1766
- This content is not included.NETOBSERV-1779
- This content is not included.NETOBSERV-1783
- This content is not included.NETOBSERV-1788
- This content is not included.NETOBSERV-1798
- This content is not included.NETOBSERV-1805
- This content is not included.NETOBSERV-1806
- This content is not included.NETOBSERV-1808
- This content is not included.NETOBSERV-1812
- This content is not included.NETOBSERV-1813
- This content is not included.NETOBSERV-1816
- This content is not included.NETOBSERV-1819
- This content is not included.NETOBSERV-1848
- This content is not included.NETOBSERV-1733
- This content is not included.NETOBSERV-1811
CVEs
- CVE-2024-34155
- CVE-2024-34156
- CVE-2024-34158
- CVE-2024-39338
- CVE-2024-43788
- CVE-2024-43796
- CVE-2024-43799
- CVE-2024-43800
- CVE-2024-45296
- CVE-2024-45590
- CVE-2024-45801
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.