Threats Tagged 'cve-2024-24788'

This advisory announces the general availability (GA) release of Helm version 3. 15. 4 for OpenShift Container Platform 4. 17. It addresses three related CVEs (CVE-2024-24788, CVE-2024-24789, CVE-2024-24790) involving issues categorized under CWE-835, CWE-20, and CWE-115. The advisory primarily focuses on making the updated Helm binaries available to users. No known exploits are reported in the wild. The vendor provides updated packages for multiple architectures and directs users to download and use these updated binaries.

Red Hat OpenShift Container Platform 4. 16. 4 includes security updates addressing two vulnerabilities: CVE-2024-24788, where a malformed DNS message in the golang net package can cause an infinite loop, and CVE-2024-34064, where the jinja2 template engine accepts keys containing non-attribute characters. These issues have been rated as moderate severity by Red Hat Product Security. Users of OpenShift Container Platform 4. 16 are advised to upgrade to the updated packages and container images provided in this release to remediate these vulnerabilities.

Red Hat has issued a security update for the Red Hat build of Cryostat 3 on RHEL 8 addressing two vulnerabilities in the golang net packages. The first vulnerability (CVE-2024-24788) involves a malformed DNS message that can cause an infinite loop. The second (CVE-2024-24790) concerns unexpected behavior in Is methods for IPv4-mapped IPv6 addresses. These issues have been rated with moderate security impact by Red Hat. No CVSS scores are provided in the advisory. The update is available and recommended to mitigate these issues.

A moderate severity security advisory from Red Hat addresses vulnerabilities in Grafana related to underlying golang libraries. The issues include a malformed DNS message causing an infinite loop (CVE-2024-24788), incorrect handling of certain ZIP files (CVE-2024-24789), and unexpected behavior in IPv4-mapped IPv6 address methods (CVE-2024-24790). These vulnerabilities affect Red Hat Enterprise Linux 8 versions with Grafana packages. Red Hat has released updated packages to fix these issues.

The Kube Descheduler Operator for Red Hat OpenShift 5. 1. 0 on RHEL 9 includes fixes for three vulnerabilities related to the golang net and net/http packages. These issues include a malformed DNS message causing an infinite loop (CVE-2024-24788), unexpected behavior in IPv4-mapped IPv6 address handling (CVE-2024-24790), and a denial of service due to improper 100-continue handling in net/http (CVE-2024-24791). The advisory classifies these vulnerabilities as moderate severity and affects the Kube Descheduler Operator component. No known exploits are reported in the wild. The vendor has released updated images and recommends applying all relevant errata before updating.

Red Hat Ansible Automation Platform 2. 4 has received a security update addressing multiple vulnerabilities, including an RBAC permissions misassignment in pulpcore (CVE-2024-7143), a proxy-authorization header leakage in urllib3 (CVE-2024-37891), and two issues in receptor's golang net packages causing unexpected behavior and potential infinite loops (CVE-2024-24790, CVE-2024-24788). These issues have been fixed in updated packages provided by Red Hat. The advisory rates the overall security impact as moderate and provides updated versions for affected components. No known exploits are reported in the wild. The update also includes bug fixes unrelated to security. Patch availability is confirmed through official Red Hat updates.

Red Hat has issued a moderate severity security advisory (RHSA-2024:9089) addressing vulnerabilities in the containernetworking-plugins package used in Red Hat Enterprise Linux 9. The update fixes two vulnerabilities: CVE-2024-24788, where a malformed DNS message in the golang net package can cause an infinite loop, and CVE-2024-24791, a denial of service vulnerability due to improper handling of HTTP 100-continue in net/http. These issues affect network connectivity components for Linux containers. The advisory covers multiple Red Hat Enterprise Linux 9 variants and architectures. Users are advised to apply the update as detailed in the Red Hat article linked in the advisory.

A moderate severity vulnerability (CVE-2024-24788) affects the oci-seccomp-bpf-hook component in Red Hat Enterprise Linux 9. This vulnerability involves a malformed DNS message in the golang net package that can cause an infinite loop. The issue is addressed in an update to the oci-seccomp-bpf-hook package. The vulnerability relates to the handling of seccomp json files for container syscall filtering. Red Hat has released updated packages for multiple architectures and variants of Red Hat Enterprise Linux 9 to remediate this issue.

Cluster Observability Operator Security Fix(es): * coo-prometheus-container: go-retryablehttp: url might write sensitive information to log file [coo-0] (CVE-2024-6104) * coo-thanos-container: golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON [coo-0] (CVE-2024-24786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.16.18. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2024:8263 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html Security Fix(es): * encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156) * containers/image: digest type does not guarantee valid type (CVE-2024-3727) * net/http: Denial of service due to improper 100-continue handling in net/http (CVE-2024-24791) * jose-go: improper handling of highly compressed data (CVE-2024-28180) * go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155) * go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html