RHCOS 4 : OpenShift Container Platform 4.12.0 (RHSA-2022:7398)

high Nessus Plugin ID 189448

Synopsis

The remote Red Hat CoreOS host is missing one or more security updates for OpenShift Container Platform 4.12.0.

Description

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7398 advisory.

- Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
(CVE-2021-4235)

- Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. (CVE-2022-1705)

- In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

- Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics.
After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. (CVE-2022-2879)

- Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

- Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. (CVE-2022-2995)

- python-scciclient: missing server certificate verification (CVE-2022-2996)

- Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. (CVE-2022-30631)

- Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group. (CVE-2022-3162)

- A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as forwarding the client's API server credentials to third parties. (CVE-2022-3172)

- Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. (CVE-2022-32148)

- A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. (CVE-2022-32189)

- JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

- Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks. (CVE-2022-3259)

- The version of cri-o as released for Red Hat OpenShift Container Platform 4.9.48, 4.10.31, and 4.11.6 via RHBA-2022:6316, RHBA-2022:6257, and RHBA-2022:6658, respectively, included an incorrect version of cri-o missing the fix for CVE-2022-27652, which was previously fixed in OCP 4.9.41 and 4.10.12 via RHBA-2022:5433 and RHSA-2022:1600. This issue could allow an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. For more details, see https://access.redhat.com/security/cve/CVE-2022-27652. (CVE-2022-3466)

- Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. (CVE-2022-41715)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHCOS OpenShift Container Platform 4.12.0 packages based on the guidance in RHSA-2022:7398.

See Also

https://access.redhat.com/security/cve/CVE-2021-4235

https://access.redhat.com/security/cve/CVE-2022-1705

https://access.redhat.com/security/cve/CVE-2022-2879

https://access.redhat.com/security/cve/CVE-2022-2880

https://access.redhat.com/security/cve/CVE-2022-2995

https://access.redhat.com/security/cve/CVE-2022-2996

https://access.redhat.com/security/cve/CVE-2022-3162

https://access.redhat.com/security/cve/CVE-2022-3172

https://access.redhat.com/security/cve/CVE-2022-3259

https://access.redhat.com/security/cve/CVE-2022-3466

https://access.redhat.com/security/cve/CVE-2022-27664

https://access.redhat.com/security/cve/CVE-2022-30631

https://access.redhat.com/security/cve/CVE-2022-32148

https://access.redhat.com/security/cve/CVE-2022-32189

https://access.redhat.com/security/cve/CVE-2022-32190

https://access.redhat.com/security/cve/CVE-2022-41715

https://access.redhat.com/errata/RHSA-2022:7398

https://bugzilla.redhat.com/2115122

https://bugzilla.redhat.com/2134063

Plugin Details

Severity: High

ID: 189448

File Name: rhcos-RHSA-2022-7398.nasl

Version: 1.0

Type: local

Agent: unix

Published: 1/24/2024

Updated: 1/24/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:N

CVSS Score Source: CVE-2022-3172

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:cri-o, p-cpe:/a:redhat:enterprise_linux:ovn22.09-central, p-cpe:/a:redhat:enterprise_linux:python3-oslo-messaging, p-cpe:/a:redhat:enterprise_linux:python3-funcsigs, p-cpe:/a:redhat:enterprise_linux:ovn22.06-vtep, p-cpe:/a:redhat:enterprise_linux:python3-ifaddr, p-cpe:/a:redhat:enterprise_linux:python3-oslo-context-tests, p-cpe:/a:redhat:enterprise_linux:python3-wcwidth, p-cpe:/a:redhat:enterprise_linux:python3-lockfile, p-cpe:/a:redhat:enterprise_linux:python3-zeroconf, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-internal, p-cpe:/a:redhat:enterprise_linux:conmon, p-cpe:/a:redhat:enterprise_linux:openshift-clients, p-cpe:/a:redhat:enterprise_linux:containers-common, p-cpe:/a:redhat:enterprise_linux:python3-paste-deploy, p-cpe:/a:redhat:enterprise_linux:bootupd, p-cpe:/a:redhat:enterprise_linux:podman-gvproxy, p-cpe:/a:redhat:enterprise_linux:python3-grpcio, p-cpe:/a:redhat:enterprise_linux:coreos-installer-dracut, p-cpe:/a:redhat:enterprise_linux:python-pyperclip-doc, p-cpe:/a:redhat:enterprise_linux:python3-flask, p-cpe:/a:redhat:enterprise_linux:python3-kuryr-kubernetes, p-cpe:/a:redhat:enterprise_linux:python3-oslo-log-tests, p-cpe:/a:redhat:enterprise_linux:kernel-rt, p-cpe:/a:redhat:enterprise_linux:python3-openvswitch2.17, p-cpe:/a:redhat:enterprise_linux:pycdlib-tools, p-cpe:/a:redhat:enterprise_linux:python-amqp-doc, p-cpe:/a:redhat:enterprise_linux:ostree-libs, p-cpe:/a:redhat:enterprise_linux:python-packaging-doc, p-cpe:/a:redhat:enterprise_linux:python3-oslo-log, p-cpe:/a:redhat:enterprise_linux:rpm-ostree-devel, p-cpe:/a:redhat:enterprise_linux:python3-oslo-config, p-cpe:/a:redhat:enterprise_linux:grpc, p-cpe:/a:redhat:enterprise_linux:container-selinux, p-cpe:/a:redhat:enterprise_linux:python3-eventlet, p-cpe:/a:redhat:enterprise_linux:ovn22.06-central, cpe:/o:redhat:enterprise_linux:8:coreos, p-cpe:/a:redhat:enterprise_linux:podman-docker, p-cpe:/a:redhat:enterprise_linux:python-oslo-log-lang, p-cpe:/a:redhat:enterprise_linux:python3-oslo-i18n, p-cpe:/a:redhat:enterprise_linux:nmstate-libs, p-cpe:/a:redhat:enterprise_linux:python3-importlib-metadata, p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-common, p-cpe:/a:redhat:enterprise_linux:ovn22.09, p-cpe:/a:redhat:enterprise_linux:afterburn-dracut, p-cpe:/a:redhat:enterprise_linux:runc, p-cpe:/a:redhat:enterprise_linux:python-oslo-i18n-lang, p-cpe:/a:redhat:enterprise_linux:ovn22.06-host, p-cpe:/a:redhat:enterprise_linux:criu-devel, p-cpe:/a:redhat:enterprise_linux:python3-alembic, p-cpe:/a:redhat:enterprise_linux:butane, p-cpe:/a:redhat:enterprise_linux:openshift-ansible-test, p-cpe:/a:redhat:enterprise_linux:toolbox, p-cpe:/a:redhat:enterprise_linux:networkmanager-wwan, p-cpe:/a:redhat:enterprise_linux:tini, p-cpe:/a:redhat:enterprise_linux:networkmanager-tui, p-cpe:/a:redhat:enterprise_linux:python3-kubernetes, p-cpe:/a:redhat:enterprise_linux:slirp4netns, p-cpe:/a:redhat:enterprise_linux:python3-iso8601, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug, p-cpe:/a:redhat:enterprise_linux:coreos-installer, p-cpe:/a:redhat:enterprise_linux:python3-criu, p-cpe:/a:redhat:enterprise_linux:python3-packaging, p-cpe:/a:redhat:enterprise_linux:kernel-rt-core, p-cpe:/a:redhat:enterprise_linux:python-oslo-db-lang, p-cpe:/a:redhat:enterprise_linux:python3-zipp, p-cpe:/a:redhat:enterprise_linux:ostree, p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-cni, p-cpe:/a:redhat:enterprise_linux:grpc-plugins, p-cpe:/a:redhat:enterprise_linux:openshift-clients-redistributable, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm, p-cpe:/a:redhat:enterprise_linux:python3-pint, p-cpe:/a:redhat:enterprise_linux:python3-oslo-context, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules, p-cpe:/a:redhat:enterprise_linux:podman-catatonit, p-cpe:/a:redhat:enterprise_linux:python3-oslo-db-tests, p-cpe:/a:redhat:enterprise_linux:networkmanager-ovs, p-cpe:/a:redhat:enterprise_linux:python3-pexpect, p-cpe:/a:redhat:enterprise_linux:podman-plugins, p-cpe:/a:redhat:enterprise_linux:podman-tests, p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins, p-cpe:/a:redhat:enterprise_linux:python3-libnmstate, p-cpe:/a:redhat:enterprise_linux:console-login-helper-messages, cpe:/o:redhat:enterprise_linux:9:coreos, p-cpe:/a:redhat:enterprise_linux:openvswitch2.17-devel, p-cpe:/a:redhat:enterprise_linux:console-login-helper-messages-profile, p-cpe:/a:redhat:enterprise_linux:python3-pyrsistent, p-cpe:/a:redhat:enterprise_linux:python3-paste, p-cpe:/a:redhat:enterprise_linux:python3-pycdlib, p-cpe:/a:redhat:enterprise_linux:python3-oslo-messaging-tests, p-cpe:/a:redhat:enterprise_linux:networkmanager, p-cpe:/a:redhat:enterprise_linux:ansible-runner-http, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:python3-amqp, p-cpe:/a:redhat:enterprise_linux:networkmanager-config-server, p-cpe:/a:redhat:enterprise_linux:kernel-rt-selftests-internal, p-cpe:/a:redhat:enterprise_linux:networkmanager-dispatcher-routing-rules, p-cpe:/a:redhat:enterprise_linux:conmon-rs, p-cpe:/a:redhat:enterprise_linux:python3-kubernetes-tests, p-cpe:/a:redhat:enterprise_linux:python3-pyperclip, p-cpe:/a:redhat:enterprise_linux:network-scripts-openvswitch2.17, p-cpe:/a:redhat:enterprise_linux:libslirp, p-cpe:/a:redhat:enterprise_linux:python3-oslo-policy-tests, p-cpe:/a:redhat:enterprise_linux:python3-requests-unixsocket, p-cpe:/a:redhat:enterprise_linux:criu, p-cpe:/a:redhat:enterprise_linux:grpc-devel, p-cpe:/a:redhat:enterprise_linux:python3-gunicorn, p-cpe:/a:redhat:enterprise_linux:python3-dogpile-cache, p-cpe:/a:redhat:enterprise_linux:haproxy22, p-cpe:/a:redhat:enterprise_linux:python3-cmd2, p-cpe:/a:redhat:enterprise_linux:networkmanager-wifi, p-cpe:/a:redhat:enterprise_linux:openshift-hyperkube, p-cpe:/a:redhat:enterprise_linux:coreos-installer-bootinfra, p-cpe:/a:redhat:enterprise_linux:networkmanager-libnm-devel, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-service-idler, p-cpe:/a:redhat:enterprise_linux:crun, p-cpe:/a:redhat:enterprise_linux:console-login-helper-messages-issuegen, p-cpe:/a:redhat:enterprise_linux:nmstate, p-cpe:/a:redhat:enterprise_linux:rpm-ostree, p-cpe:/a:redhat:enterprise_linux:python3-ansible-runner, p-cpe:/a:redhat:enterprise_linux:grpc-cli, p-cpe:/a:redhat:enterprise_linux:python-flask-doc, p-cpe:/a:redhat:enterprise_linux:buildah-tests, p-cpe:/a:redhat:enterprise_linux:ostree-grub2, p-cpe:/a:redhat:enterprise_linux:buildah, p-cpe:/a:redhat:enterprise_linux:ovn22.09-host, p-cpe:/a:redhat:enterprise_linux:python3-oslo-metrics-tests, p-cpe:/a:redhat:enterprise_linux:podman-remote, p-cpe:/a:redhat:enterprise_linux:podman, p-cpe:/a:redhat:enterprise_linux:ignition-validate, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm, p-cpe:/a:redhat:enterprise_linux:python2-funcsigs, p-cpe:/a:redhat:enterprise_linux:python3-rsa, p-cpe:/a:redhat:enterprise_linux:networkmanager-config-connectivity-redhat, p-cpe:/a:redhat:enterprise_linux:python-oslo-policy-lang, p-cpe:/a:redhat:enterprise_linux:networkmanager-adsl, p-cpe:/a:redhat:enterprise_linux:skopeo-tests, p-cpe:/a:redhat:enterprise_linux:ignition, p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel, p-cpe:/a:redhat:enterprise_linux:python3-tenacity, p-cpe:/a:redhat:enterprise_linux:nmstate-plugin-ovsdb, p-cpe:/a:redhat:enterprise_linux:cri-tools, p-cpe:/a:redhat:enterprise_linux:kata-containers, p-cpe:/a:redhat:enterprise_linux:python3-werkzeug, p-cpe:/a:redhat:enterprise_linux:python3-oslo-metrics, p-cpe:/a:redhat:enterprise_linux:nmstate-devel, p-cpe:/a:redhat:enterprise_linux:butane-redistributable, p-cpe:/a:redhat:enterprise_linux:openshift-kuryr-controller, p-cpe:/a:redhat:enterprise_linux:python3-kombu, p-cpe:/a:redhat:enterprise_linux:afterburn, p-cpe:/a:redhat:enterprise_linux:openvswitch2.17-ipsec, p-cpe:/a:redhat:enterprise_linux:python3-oslo-db, p-cpe:/a:redhat:enterprise_linux:networkmanager-cloud-setup, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-extra, p-cpe:/a:redhat:enterprise_linux:ovn22.09-vtep, p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs, p-cpe:/a:redhat:enterprise_linux:python3-oslo-serialization, p-cpe:/a:redhat:enterprise_linux:python3-pyghmi, p-cpe:/a:redhat:enterprise_linux:ostree-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules, p-cpe:/a:redhat:enterprise_linux:rpm-ostree-libs, p-cpe:/a:redhat:enterprise_linux:networkmanager-libnm, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-internal, p-cpe:/a:redhat:enterprise_linux:crit, p-cpe:/a:redhat:enterprise_linux:openvswitch2.17, p-cpe:/a:redhat:enterprise_linux:openshift-ansible, p-cpe:/a:redhat:enterprise_linux:python3-construct, p-cpe:/a:redhat:enterprise_linux:libslirp-devel, p-cpe:/a:redhat:enterprise_linux:python3-msgpack, p-cpe:/a:redhat:enterprise_linux:networkmanager-team, p-cpe:/a:redhat:enterprise_linux:python3-jsonschema, p-cpe:/a:redhat:enterprise_linux:criu-libs, p-cpe:/a:redhat:enterprise_linux:python3-oslo-serialization-tests, p-cpe:/a:redhat:enterprise_linux:crudini, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-core, p-cpe:/a:redhat:enterprise_linux:networkmanager-bluetooth, p-cpe:/a:redhat:enterprise_linux:ovn22.06, p-cpe:/a:redhat:enterprise_linux:python3-oslo-policy, p-cpe:/a:redhat:enterprise_linux:python3-pyroute2, p-cpe:/a:redhat:enterprise_linux:skopeo, p-cpe:/a:redhat:enterprise_linux:openvswitch2.17-test, p-cpe:/a:redhat:enterprise_linux:networkmanager-ppp, p-cpe:/a:redhat:enterprise_linux:ansible-runner

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/17/2023

Vulnerability Publication Date: 7/13/2022

Reference Information

CVE: CVE-2021-4235, CVE-2022-1705, CVE-2022-27664, CVE-2022-2879, CVE-2022-2880, CVE-2022-2995, CVE-2022-2996, CVE-2022-30631, CVE-2022-3162, CVE-2022-3172, CVE-2022-32148, CVE-2022-32189, CVE-2022-32190, CVE-2022-3259, CVE-2022-3466, CVE-2022-41715

CWE: 1325, 200, 22, 276, 284, 295, 400, 444, 665, 770, 918

RHSA: 2022:7398