This Red Hat security advisory covers OpenShift Container Platform 4.14.48, which addresses four security vulnerabilities: CVE-2024-12085 (rsync info leak via uninitialized stack contents), CVE-2024-45337 (authorization bypass due to misuse of ServerConfig.PublicKeyCallback in golang.org/x/crypto/ssh), CVE-2024-45338 (non-linear parsing of case-insensitive content in golang.org/x/net/html), and CVE-2024-53104 (kernel media uvcvideo driver skipping parsing of undefined frame types). The advisory provides updated container images and references RPM package updates in a related advisory. The update is rated as important by Red Hat Product Security and targets multiple architectures including x86_64, s390x, ppc64le, and aarch64. Users should upgrade their clusters using the OpenShift CLI or web console following official upgrade instructions.

The vulnerabilities fixed in this update could lead to information leakage, authorization bypass, and potential parsing issues affecting the security and stability of the OpenShift Container Platform. The advisory rates the security impact as important (high severity). There are no known exploits in the wild at the time of this advisory. The issues affect multiple components including rsync, golang.org/x/crypto/ssh, golang.org/x/net/html, and the Linux kernel media driver uvcvideo.

A fix is available through the OpenShift Container Platform 4.14.48 update. Users should upgrade to the updated container images and RPM packages as soon as they are available in their release channels. Upgrades can be performed using the OpenShift CLI (oc) or the web console. Official upgrade instructions are provided by Red Hat and should be followed to fully apply the security fixes. No additional mitigation actions are specified beyond applying the update.