Threats Tagged 'cve-2024-45338'

This advisory addresses multiple vulnerabilities in the Logging subsystem for Red Hat OpenShift 6. 1. 4. The issues include non-linear parsing of case-insensitive content in golang. org/x/net/html (CVE-2024-45338), sensitive HTTP headers being incorrectly sent after cross-domain redirects (CVE-2024-45336), and a denial of service vulnerability in Go JOSE's parsing (CVE-2025-27144). These vulnerabilities affect various containers within the logging stack such as logging-loki, cluster-logging-operator, lokistack-gateway, and opa-openshift. The advisory provides upgrade instructions to apply fixes. No known exploits in the wild have been reported. The severity is rated high by Red Hat. Patch status is not explicitly stated but upgrade instructions indicate that fixes are available.

This advisory addresses two vulnerabilities in the logging components of Red Hat OpenShift 6. 0. 6. The first vulnerability (CVE-2025-27144) affects the lokistack-gateway-container, where Go JOSE's parsing is vulnerable to denial of service. The second vulnerability (CVE-2024-45338) affects the logging-loki-container, involving non-linear parsing of case-insensitive content in golang. org/x/net/html. Both issues could impact the stability and reliability of the logging subsystem in Red Hat OpenShift. Red Hat has issued an important security advisory with instructions for upgrading and applying the update to remediate these vulnerabilities. There are no known exploits in the wild at this time.

Red Hat OpenShift Container Platform 4. 19. 0 includes multiple security fixes addressing vulnerabilities in various Golang libraries and the Bare Metal Operator. These issues range from authorization bypass, denial of service, to secret exposure across namespaces. Users of OpenShift Container Platform 4. 19 are advised to upgrade to the updated packages and container images as soon as they are available through official release channels.

Red Hat OpenShift Container Platform 4. 14. 54 includes important security updates addressing multiple vulnerabilities in underlying Golang libraries. These include issues such as non-linear parsing of case-insensitive content, unexpected memory consumption during token parsing, excessive memory allocation during JWT header parsing, and potential leakage of sensitive information to log files. The update is rated with an important security impact by Red Hat Product Security. Users of OpenShift Container Platform 4. 14 are advised to upgrade to the updated packages and container images via the appropriate release channels using the OpenShift CLI or web console.

Red Hat OpenShift Data Foundation 4. 15. 14 includes a bug fix update addressing multiple security vulnerabilities across various components such as serialize-javascript, body-parser, http-proxy-middleware, and others. These vulnerabilities include cross-site scripting (XSS), denial of service (DoS), prototype pollution, and URL validation issues. The update is classified as important and targets Red Hat OpenShift Data Foundation running on Red Hat Enterprise Linux 9 across multiple architectures. The advisory references 12 CVEs fixed in this release, including CVE-2024-11831. No known exploits in the wild have been reported. Users are advised to apply this update after ensuring all previous errata are applied.

CVE-2024-9042 is a medium severity vulnerability affecting Red Hat OpenShift for Windows Containers, specifically the Windows Machine Config Operator component. This product enables deployment of Windows container workloads on Windows Server containers. The vulnerability is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-770 (Allocation of Resources Without Limits or Throttling). Red Hat has released the OpenShift for Windows Containers 10. 16. 2 product release addressing this issue. No known exploits are reported in the wild. The vendor advisory provides upgrade guidance and references for remediation.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.19.0. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2024:11038 Security Fix(es): * golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto (CVE-2024-45337) * golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868) * golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.19 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html-single/updating_clusters/index#updating-cluster-cli.

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Security Fix(es) from Bugzilla: * golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto (CVE-2024-45337) * golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338) * go-git: argument injection via the URL field (CVE-2025-21613) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868) * golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869) * golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204) * go-jose: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144) * net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 8.1 and Red Hat Enterprise Linux 8.10, 9.5, 9.6. Users are directed to the Red Hat Ceph Storage Release Notes for full Red Hat Ceph Storage 8.1 Release Notes information: https://docs.redhat.com/en/documentation/red_hat_ceph_storage/8/html/8.1_release_notes All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog, which provides numerous security and bug fixes.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.80. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2025:15307 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes Security Fix(es): * golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338) * golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204) * github.com/golang/glog: Vulnerability when creating log files in github.com/golang/glog (CVE-2024-45339) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html-single/updating_clusters/index#updating-cluster-within-minor.