This security advisory addresses three vulnerabilities in the Kube Descheduler Operator for Red Hat OpenShift 5.1.0 on RHEL 9. The first vulnerability (CVE-2024-24788) involves the golang net package where a malformed DNS message can cause an infinite loop. The second (CVE-2024-24790) concerns unexpected behavior in the golang net/netip Is methods for IPv4-mapped IPv6 addresses. The third (CVE-2024-24791) is a denial of service vulnerability in the net/http package due to improper handling of HTTP 100-continue requests. These issues could impact the operator's stability and reliability. The advisory includes fixes and updated container images for affected architectures. The vulnerabilities are rated moderate in severity and no active exploitation is reported.

The vulnerabilities may cause denial of service conditions or unexpected behavior in the Kube Descheduler Operator, potentially affecting pod eviction strategies and cluster stability. Specifically, the malformed DNS message vulnerability can lead to an infinite loop, the IPv4-mapped IPv6 address handling issue can cause unexpected behavior in IP address processing, and the improper 100-continue handling can result in denial of service. There are no reports of known exploits in the wild at this time.

Red Hat has released updated versions of the Kube Descheduler Operator for OpenShift 5.1.0 on RHEL 9 that address these vulnerabilities. Users should ensure all previously released errata are applied before updating to the fixed versions. The advisory provides updated container images for multiple architectures. Applying these updates will mitigate the vulnerabilities. No additional mitigation steps are indicated by the vendor.