Threats Tagged 'cve-2024-24786'

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.54. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2024:1572 Security Fix(es): * golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394) * golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786) * jose-go: improper handling of highly compressed data (CVE-2024-28180) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * containers/image: digest type does not guarantee valid type (CVE-2024-3727) * golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786) * Bare Metal Operator: BMO can expose particularly named secrets from other namespaces via BMH CRD (CVE-2024-43803) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat has released a security update for the Red Hat build of MicroShift 4. 16. 0, a lightweight Kubernetes orchestration solution for edge device deployments. The update addresses two vulnerabilities: CVE-2024-24786, which involves an infinite loop in protojson. Unmarshal when processing certain invalid JSON inputs, and CVE-2024-3177, which allows bypassing the mountable secrets policy enforced by the ServiceAccount admission plugin in the Kubernetes kube-apiserver. These issues could impact the stability and security of MicroShift deployments. Users of MicroShift 4. 16 are advised to apply the updated RPM packages and container images as soon as they are available in the RPM repository. The vendor rates the security impact as Important, and no known exploits are reported in the wild at this time.

Red Hat OpenShift Container Platform 4. 16. 24 includes security updates addressing three vulnerabilities: a FIPS crypto-policy directory mounting issue in the containers/common Go library (CVE-2024-9341), improper input validation in the bind-propagation option of the Dockerfile RUN --mount instruction (CVE-2024-9407), and an infinite loop in protojson. Unmarshal when unmarshaling certain invalid JSON inputs (CVE-2024-24786). These issues affect container image components such as Podman, Buildah, and cri-o. The update is rated with moderate security impact by Red Hat Product Security. Users of OpenShift Container Platform 4. 16 are advised to upgrade to the updated packages and images via the appropriate release channels using the OpenShift CLI or web console.

Red Hat OpenShift AI version 2. 16. 0 addresses multiple security vulnerabilities identified by CVE-2024-3596 and related CVEs. The advisory indicates the release of updated images for Red Hat OpenShift AI to mitigate these issues. No explicit details on the nature of the vulnerabilities or exploitation methods are provided. The vendor advisory does not specify any fixes included in this release, only that updated images are available and documentation will be updated with upgrade instructions. There are no known exploits in the wild at this time. The severity is assessed as high based on the advisory metadata, but no CVSS score is provided.

Red Hat OpenShift Container Platform 4. 15. 6 includes important security updates addressing two vulnerabilities: CVE-2024-1725, where kubevirt-csi's PersistentVolume allows unauthorized access to the HyperConverged Platform (HCP) root node, and CVE-2024-24786, where golang-protobuf's protojson. Unmarshal can enter an infinite loop when processing certain invalid JSON inputs. These issues are rated as important by Red Hat Product Security. Users of OpenShift Container Platform 4. 15 are advised to upgrade to the updated packages and container images provided in this release to mitigate these vulnerabilities.

Red Hat OpenShift Container Platform 4. 15. 6 includes security updates addressing three vulnerabilities: a memory leak in RSA payload encryption/decryption (CVE-2024-1394), an infinite loop during JSON unmarshaling of invalid data (CVE-2024-24786), and improper handling of highly compressed data (CVE-2024-28180). These issues affect components such as golang-fips/openssl, golang-protobuf, and jose-go. Red Hat has released updated RPM packages and container images to fix these vulnerabilities. Users of OpenShift Container Platform 4. 15 are advised to upgrade to these updated packages and images via the appropriate release channels using the OpenShift CLI or web console. Detailed upgrade instructions are available in Red Hat's documentation. The update is rated as having an Important security impact by Red Hat Product Security. No known exploits in the wild have been reported at this time.

This advisory addresses two security vulnerabilities in the podman container management tool used in Red Hat Enterprise Linux 9. The first vulnerability (CVE-2024-24786) involves an infinite loop in JSON unmarshaling when processing certain invalid JSON inputs. The second vulnerability (CVE-2024-1753) allows a full container escape at build time via the buildah component. Red Hat has released an update to podman version 4. 9. 4-3. el9_4 that includes fixes for these issues along with several bug fixes. The update is rated as having a moderate security impact. No known exploits are reported in the wild. The vendor advisory provides official remediation instructions and affected product details.

Red Hat OpenShift Container Platform 4. 18. 1 includes multiple security fixes addressing vulnerabilities in components such as golang. org/x/net/html, go-git, containers/image, go-retryablehttp, ose-olm-catalogd-container, golang-protobuf, and GraphQL. These vulnerabilities range from denial of service, argument injection, infinite loops during JSON unmarshaling, to potential leakage of sensitive information in logs. The update is rated as having an important security impact by Red Hat Product Security. Users of OpenShift Container Platform 4. 18 are advised to upgrade to the updated packages and container images as soon as they become available in the appropriate release channels.

Red Hat OpenShift Container Platform 4. 16. 19 includes important security fixes addressing three vulnerabilities: an OAuth2 insufficient state parameter entropy issue (CVE-2024-6508), an infinite loop in protojson. Unmarshal when processing certain invalid JSON (CVE-2024-24786), and lack of checksum validation on OpenStack Ironic images (CVE-2024-47211). These vulnerabilities affect on-premise or private cloud deployments of OpenShift Container Platform 4. 16. Users are advised to upgrade to the updated packages and container images available through the appropriate release channels to mitigate these issues.