This advisory covers Red Hat OpenShift Container Platform 4.18.8, which includes container image updates that fix several security vulnerabilities. The primary security fix is for CVE-2024-11218, a container breakout vulnerability in podman/buildah caused by a race condition when using the --jobs=2 option during Containerfile builds. Additional vulnerabilities fixed include CVE-2025-0624, an out-of-bounds write in grub2's network configuration file search function, and CVE-2025-30204, which allows excessive memory allocation during JWT header parsing in golang-jwt/jwt. These vulnerabilities affect on-premise or private cloud deployments of OpenShift Container Platform 4.18. Red Hat recommends upgrading to the updated container images and RPM packages as soon as they are available in the appropriate release channels. The vendor advisory does not provide CVSS scores but rates the update as Important. No exploits in the wild are currently known.

The vulnerabilities fixed in this update could allow a malicious container build to escape container isolation (CVE-2024-11218), potentially leading to unauthorized access or privilege escalation. The grub2 out-of-bounds write (CVE-2025-0624) could cause memory corruption, potentially leading to denial of service or code execution. The golang-jwt/jwt excessive memory allocation (CVE-2025-30204) could lead to resource exhaustion. These issues affect the security and stability of OpenShift Container Platform 4.18 deployments. No known active exploitation has been reported.

Red Hat has released updated container images and RPM packages as part of OpenShift Container Platform 4.18.8 that address these vulnerabilities. Users should upgrade their OpenShift clusters to version 4.18.8 using the OpenShift CLI (oc) or web console following Red Hat's official upgrade documentation. This update is the official fix; applying it fully mitigates the described vulnerabilities. There is no indication that additional mitigations are required beyond upgrading to the fixed versions.