cvelistv5 - cve-2023-4065

URL	Tags
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:4720	Vendor Advisory
secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2023-4065	Vendor Advisory
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2224630	Issue Tracking, Vendor Advisory

▼	Vendor	Product
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	Red Hat AMQ Broker 7

ghsa-hhw6-q999-wqqq

Vulnerability from github

Published

2023-09-27 15:30

Modified

2024-04-04 07:55

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-4065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:39Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.",
  "id": "GHSA-hhw6-q999-wqqq",
  "modified": "2024-04-04T07:55:38Z",
  "published": "2023-09-27T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4065"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:4720"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4065"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

rhsa-2023_4720

Vulnerability from csaf_redhat

Published

2023-08-23 15:08

Modified

2024-11-06 03:34

Summary

Red Hat Security Advisory: AMQ Broker 7.11.1.OPR.2.GA Container Images Release

Notes

Topic

This is the multiarch release of the AMQ Broker 7.11.1 aligned Operator and associated container images on Red Hat Enterprise Linux 8 for the OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat Middleware for OpenShift provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments. This release of the AMQ Broker 7.11.1 aligned Operator includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * amq-broker-operator-container: Red Hat AMQ Broker Operator: plaintext password in operator log (CVE-2023-4065) * activemq-broker-operator: Red Hat AMQ Broker Operator: Passwords defined in secrets shown in StatefulSet yaml (CVE-2023-4066) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. For information on supported configurations, see Red Hat AMQ Broker 7 Supported Configurations at https://access.redhat.com/articles/2791941

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "This is the multiarch release of the AMQ Broker 7.11.1 aligned Operator and associated container images on Red Hat Enterprise Linux 8 for the OpenShift Container Platform.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Middleware for OpenShift provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.\n\nThis release of the AMQ Broker 7.11.1 aligned Operator includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* amq-broker-operator-container: Red Hat AMQ Broker Operator: plaintext password in operator log (CVE-2023-4065)\n\n* activemq-broker-operator: Red Hat AMQ Broker Operator: Passwords defined in secrets shown in StatefulSet yaml (CVE-2023-4066)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nFor information on supported configurations, see Red Hat AMQ Broker 7 Supported Configurations at https://access.redhat.com/articles/2791941",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:4720",
        "url": "https://access.redhat.com/errata/RHSA-2023:4720"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq_broker/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_amq_broker/"
      },
      {
        "category": "external",
        "summary": "2224630",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630"
      },
      {
        "category": "external",
        "summary": "2224677",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224677"
      },
      {
        "category": "external",
        "summary": "ENTMQBR-7804",
        "url": "https://issues.redhat.com/browse/ENTMQBR-7804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_4720.json"
      }
    ],
    "title": "Red Hat Security Advisory: AMQ Broker 7.11.1.OPR.2.GA Container Images Release",
    "tracking": {
      "current_release_date": "2024-11-06T03:34:01+00:00",
      "generator": {
        "date": "2024-11-06T03:34:01+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2023:4720",
      "initial_release_date": "2023-08-23T15:08:15+00:00",
      "revision_history": [
        {
          "date": "2023-08-23T15:08:15+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-08-23T15:08:15+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-06T03:34:01+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Middleware Containers for OpenShift",
                "product": {
                  "name": "Middleware Containers for OpenShift",
                  "product_id": "8Base-RHOSE-Middleware",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
                "product": {
                  "name": "amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
                  "product_id": "amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091?arch=amd64\u0026repository_url=registry.redhat.io/amq7/amq-broker-rhel8-operator-bundle\u0026tag=7.11.1-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
                "product": {
                  "name": "amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
                  "product_id": "amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297?arch=amd64\u0026repository_url=registry.redhat.io/amq7/amq-broker-rhel8-operator\u0026tag=7.11.1-9"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x",
                "product": {
                  "name": "amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x",
                  "product_id": "amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6?arch=s390x\u0026repository_url=registry.redhat.io/amq7/amq-broker-rhel8-operator\u0026tag=7.11.1-9"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
                "product": {
                  "name": "amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
                  "product_id": "amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f?arch=ppc64le\u0026repository_url=registry.redhat.io/amq7/amq-broker-rhel8-operator\u0026tag=7.11.1-9"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64"
        },
        "product_reference": "amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le"
        },
        "product_reference": "amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64"
        },
        "product_reference": "amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x"
        },
        "product_reference": "amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4065",
      "cwe": {
        "id": "CWE-117",
        "name": "Improper Output Neutralization for Logs"
      },
      "discovery_date": "2023-07-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2224630"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Operator: plaintext password in operator log",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
          "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
          "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
          "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-4065"
        },
        {
          "category": "external",
          "summary": "RHBZ#2224630",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-4065",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-4065"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-4065",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4065"
        }
      ],
      "release_date": "2023-08-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-08-23T15:08:15+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:4720"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Operator: plaintext password in operator log"
    },
    {
      "cve": "CVE-2023-4066",
      "cwe": {
        "id": "CWE-313",
        "name": "Cleartext Storage in a File or on Disk"
      },
      "discovery_date": "2023-07-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2224677"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Red Hat\u0027s AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Operator: Passwords defined in secrets shown in StatefulSet yaml",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
          "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
          "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
          "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-4066"
        },
        {
          "category": "external",
          "summary": "RHBZ#2224677",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224677"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-4066",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-4066"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-4066",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4066"
        }
      ],
      "release_date": "2023-08-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-08-23T15:08:15+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:4720"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator-bundle@sha256:2da4c3e7edd27833b01c2c89e815694fc5521b1fba56a56fab4c6421d550c091_amd64",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:200dabaa7d3d7ef22353e5f70e8d7b12fe36c8e7a6c39bfa518c6187d76a9f3f_ppc64le",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:9c737dd9ea0e03d26997391b7ea08c51923fdbb3bd0852f00e58d96c78c27297_amd64",
            "8Base-RHOSE-Middleware:amq7/amq-broker-rhel8-operator@sha256:f3a205691b5d9f5623a52c756825c14bc37cb1c9e8997c915293d00ff18572a6_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Operator: Passwords defined in secrets shown in StatefulSet yaml"
    }
  ]
}

wid-sec-w-2023-2159

Vulnerability from csaf_certbund

Published

2023-08-23 22:00

Modified

2023-08-23 22:00

Summary

Red Hat OpenShift AMQ Broker: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Red Hat OpenShift AMQ Broker ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Red Hat OpenShift AMQ Broker ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2159 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2159.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2159 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2159"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:4720 vom 2023-08-23",
        "url": "https://access.redhat.com/errata/RHSA-2023:4720"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat OpenShift AMQ Broker: Mehrere Schwachstellen erm\u00f6glichen Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2023-08-23T22:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:41:44.479+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2023-2159",
      "initial_release_date": "2023-08-23T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-08-23T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat OpenShift AMQ Broker \u003c 7.11.1",
            "product": {
              "name": "Red Hat OpenShift AMQ Broker \u003c 7.11.1",
              "product_id": "T029504",
              "product_identification_helper": {
                "cpe": "cpe:/a:redhat:openshift:amq_broker_7.11.1"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4066",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in Red Hat OpenShift AMQ Broker in der Komponente \"Operator\". Passw\u00f6rter werden im Klartext in Protokollen und anderen Dateien gespeichert. Ein Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2023-08-23T22:00:00Z",
      "title": "CVE-2023-4066"
    },
    {
      "cve": "CVE-2023-4065",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in Red Hat OpenShift AMQ Broker in der Komponente \"Operator\". Passw\u00f6rter werden im Klartext in Protokollen und anderen Dateien gespeichert. Ein Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2023-08-23T22:00:00Z",
      "title": "CVE-2023-4065"
    }
  ]
}

gsd-2023-4065

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.

Aliases

CVE-2023-4065

Aliases

CVE-2023-4065

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-4065",
    "id": "GSD-2023-4065"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-4065"
      ],
      "details": "A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.",
      "id": "GSD-2023-4065",
      "modified": "2023-12-13T01:20:27.213034Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2023-4065",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "RHEL-8 based Middleware Containers",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected",
                            "versions": [
                              {
                                "lessThan": "*",
                                "status": "unaffected",
                                "version": "7.11.1-9",
                                "versionType": "rpm"
                              }
                            ]
                          }
                        },
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected",
                            "versions": [
                              {
                                "lessThan": "*",
                                "status": "unaffected",
                                "version": "7.11.1-12",
                                "versionType": "rpm"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Red Hat JBoss A-MQ 7",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Red Hat"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-117",
                "lang": "eng",
                "value": "Improper Output Neutralization for Logs"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://access.redhat.com/errata/RHSA-2023:4720",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2023:4720"
          },
          {
            "name": "https://access.redhat.com/security/cve/CVE-2023-4065",
            "refsource": "MISC",
            "url": "https://access.redhat.com/security/cve/CVE-2023-4065"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2023-4065"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-276"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://access.redhat.com/security/cve/CVE-2023-4065",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2023-4065"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630"
            },
            {
              "name": "https://access.redhat.com/errata/RHSA-2023:4720",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:4720"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-10-02T16:47Z",
      "publishedDate": "2023-09-27T15:19Z"
    }
  }
}

Action not permitted

cve-2023-4065

Vulnerability from cvelistv5

ghsa-hhw6-q999-wqqq

Vulnerability from github

rhsa-2023_4720

Vulnerability from csaf_redhat

wid-sec-w-2023-2159

Vulnerability from csaf_certbund

gsd-2023-4065

Vulnerability from gsd

Tags