RHSA-2024:4125
Vulnerability from csaf_redhat - Published: 2024-06-26 13:56 - Updated: 2025-12-03 21:48Summary
Red Hat Security Advisory: Red Hat Service Interconnect 1.4.5 Release security update
Notes
Topic
This is release 1.4 of the rpms for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud.
A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details
As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "This is release 1.4 of the rpms for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud.\nA service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site.\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:4125",
"url": "https://access.redhat.com/errata/RHSA-2024:4125"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_service_interconnect/1.4",
"url": "https://docs.redhat.com/en/documentation/red_hat_service_interconnect/1.4"
},
{
"category": "external",
"summary": "2268019",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268019"
},
{
"category": "external",
"summary": "2268273",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268273"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_4125.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Service Interconnect 1.4.5 Release security update",
"tracking": {
"current_release_date": "2025-12-03T21:48:51+00:00",
"generator": {
"date": "2025-12-03T21:48:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2024:4125",
"initial_release_date": "2024-06-26T13:56:19+00:00",
"revision_history": [
{
"date": "2024-06-26T13:56:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-06-26T13:56:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-03T21:48:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Service Interconnect 1.4",
"product": {
"name": "Red Hat Service Interconnect 1.4",
"product_id": "8Base-Service-Interconnect-1.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_interconnect:1.4::el8"
}
}
},
{
"category": "product_name",
"name": "9Base-Service-Interconnect-1.4",
"product": {
"name": "9Base-Service-Interconnect-1.4",
"product_id": "9Base-Service-Interconnect-1.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_interconnect:1.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Service Interconnect"
},
{
"branches": [
{
"category": "product_version",
"name": "skupper-cli-0:1.4.5-1.el8.src",
"product": {
"name": "skupper-cli-0:1.4.5-1.el8.src",
"product_id": "skupper-cli-0:1.4.5-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skupper-cli@1.4.5-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "skupper-cli-0:1.4.5-1.el9.src",
"product": {
"name": "skupper-cli-0:1.4.5-1.el9.src",
"product_id": "skupper-cli-0:1.4.5-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skupper-cli@1.4.5-1.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "skupper-cli-0:1.4.5-1.el8.x86_64",
"product": {
"name": "skupper-cli-0:1.4.5-1.el8.x86_64",
"product_id": "skupper-cli-0:1.4.5-1.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skupper-cli@1.4.5-1.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "skupper-cli-0:1.4.5-1.el9.x86_64",
"product": {
"name": "skupper-cli-0:1.4.5-1.el9.x86_64",
"product_id": "skupper-cli-0:1.4.5-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/skupper-cli@1.4.5-1.el9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "skupper-cli-0:1.4.5-1.el8.src as a component of Red Hat Service Interconnect 1.4",
"product_id": "8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src"
},
"product_reference": "skupper-cli-0:1.4.5-1.el8.src",
"relates_to_product_reference": "8Base-Service-Interconnect-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skupper-cli-0:1.4.5-1.el8.x86_64 as a component of Red Hat Service Interconnect 1.4",
"product_id": "8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64"
},
"product_reference": "skupper-cli-0:1.4.5-1.el8.x86_64",
"relates_to_product_reference": "8Base-Service-Interconnect-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skupper-cli-0:1.4.5-1.el9.src as a component of 9Base-Service-Interconnect-1.4",
"product_id": "9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src"
},
"product_reference": "skupper-cli-0:1.4.5-1.el9.src",
"relates_to_product_reference": "9Base-Service-Interconnect-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "skupper-cli-0:1.4.5-1.el9.x86_64 as a component of 9Base-Service-Interconnect-1.4",
"product_id": "9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
},
"product_reference": "skupper-cli-0:1.4.5-1.el9.x86_64",
"relates_to_product_reference": "9Base-Service-Interconnect-1.4"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Bartek Nowotarski"
],
"organization": "nowotarski.info"
}
],
"cve": "CVE-2023-45288",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-03-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268273"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates the security impact of this vulnerability as Important due to the worst case scenario resulting in a denial of service. It is simple to exploit, could significantly impact availability, and there is not a suitable mitigation for all use cases. Once an attack has ended, the system should return to normal operations on its own.\n\nThis vulnerability only impacts servers which have HTTP/2 enabled. It stems from an imperfect definition of the protocol. As the Go programming language is widely utilized across nearly every major Red Hat offering, a full listing of impacted packages will not be provided. Therefore, the \u201cAffected Packages and Issued Red Hat Security Errata\u201d section contains a simplified list of what offerings need to remediate this vulnerability. Every impacted offering has at least one representative component listed, but potentially not all of them. Rest assured that Red Hat is committed to remediating this vulnerability across our entire portfolio.\n\nMany components are rated as Low impact due to configurations which reduce the attack surface or significantly increase the difficulty of exploitation. A summary of these scenarios are:\n* The container includes a package that provides a vulnerable webserver, but it is not used or running during operation\n* HTTP/2 is disabled by default and is not supported\n* Only a client implementation is provided, which is not vulnerable\n* A vulnerable module (either golang.org/net/http or golang.org/x/net/http2) is included, but disabled\n* Access to a vulnerable server is restricted within the container (loopback only connections)\n* Golang is available in the container but is not used\n\n\nWithin the Red Hat OpenShift Container Platform, the majority of vulnerable components are not externally accessible. This means an attacker must already have access to a container within your environment to exploit this vulnerability. However, the ose-hyperkube (openshift-enterprise-hyperkube) container is externally accessible, so there are less barriers to exploitation. Fixes for this specific container are already available.\n\nWithin Red Hat Ansible Automation Platform, the impacted component is Receptor. The impact has been reduced to Low as the vulnerable code is present, but not utilized. There are three potential exposures within this component:\n* Receptor utilizes QUIC a UDP based protocol which does not run over HTTP/2\n* Receptor utilizes the x/net/ipv4 and ipv6 packages, both of which are not affected",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src",
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45288"
},
{
"category": "external",
"summary": "RHBZ#2268273",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268273"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288"
},
{
"category": "external",
"summary": "https://nowotarski.info/http2-continuation-flood/",
"url": "https://nowotarski.info/http2-continuation-flood/"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2687",
"url": "https://pkg.go.dev/vuln/GO-2024-2687"
},
{
"category": "external",
"summary": "https://www.kb.cert.org/vuls/id/421644",
"url": "https://www.kb.cert.org/vuls/id/421644"
}
],
"release_date": "2024-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-26T13:56:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src",
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4125"
},
{
"category": "workaround",
"details": "In some environments where http/2 support is not required, it may be possible to disable this feature to reduce risk.",
"product_ids": [
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src",
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src",
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS"
},
{
"cve": "CVE-2024-24783",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-03-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268019"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go\u0027s crypto/x509 standard library package. Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause a Certificate.Verify to panic. This issue affects all crypto/tls clients and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation leading to a CWE-400: Uncontrolled Resource Consumption vulnerability, and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform enforces least functionality, enabling only essential features, services, and ports to minimize the attack surface for improper input handling. Secure development practices, such as static code analysis, peer reviews, and strict input validation, detect and remediate unsafe patterns early in the lifecycle, reducing the risk of malformed input causing instability or resource exhaustion. Process isolation confines untrusted workloads to restricted domains, preventing a single process from monopolizing shared resources. Malicious code protections, including IDS/IPS and antimalware tools, detect and mitigate input-driven resource consumption and denial-of-service attempts in real time. Centralized logging and continuous monitoring provide visibility into abnormal resource behavior, enabling rapid detection and response. Additionally, web application firewalls and load-balancing controls further limit the impact of uncontrolled input or resource use, maintaining platform stability and performance.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src",
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24783"
},
{
"category": "external",
"summary": "RHBZ#2268019",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268019"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24783",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24783"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24783",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24783"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2024/03/08/4",
"url": "http://www.openwall.com/lists/oss-security/2024/03/08/4"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3q2c-pvp5-3cqp",
"url": "https://github.com/advisories/GHSA-3q2c-pvp5-3cqp"
},
{
"category": "external",
"summary": "https://go.dev/cl/569339",
"url": "https://go.dev/cl/569339"
},
{
"category": "external",
"summary": "https://go.dev/issue/65390",
"url": "https://go.dev/issue/65390"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg",
"url": "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2598",
"url": "https://pkg.go.dev/vuln/GO-2024-2598"
},
{
"category": "external",
"summary": "https://security.netapp.com/advisory/ntap-20240329-0005",
"url": "https://security.netapp.com/advisory/ntap-20240329-0005"
}
],
"release_date": "2024-03-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-26T13:56:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src",
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4125"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src",
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.src",
"8Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el8.x86_64",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.src",
"9Base-Service-Interconnect-1.4:skupper-cli-0:1.4.5-1.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…