rhsa-2024_1812
Vulnerability from csaf_redhat
Published
2024-04-15 05:44
Modified
2024-11-14 00:27
Summary
Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug Fixes

Notes

Topic
Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. The following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available: * custom-metrics-autoscaler-adapter-container * custom-metrics-autoscaler-admission-webhooks-container * custom-metrics-autoscaler-container * custom-metrics-autoscaler-operator-bundle-container * custom-metrics-autoscaler-operator-container Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics. This release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions. This version makes use of newer tools and libraries to address the following issues: golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326) jose-go: improper handling of highly compressed data (CVE-2024-28180) opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108) In addition, the following bug has been fixed: Custom metrics operator memory leak when invalid scaledObject is defined (prometheus scaler) This release is based upon KEDA 2.12.1
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Custom Metrics Autoscaler Operator for Red Hat OpenShift including security\nupdates.\n\nThe following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available:\n\n* custom-metrics-autoscaler-adapter-container\n* custom-metrics-autoscaler-admission-webhooks-container\n* custom-metrics-autoscaler-container\n* custom-metrics-autoscaler-operator-bundle-container\n* custom-metrics-autoscaler-operator-container\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional operator, based on the Kubernetes Event Driven Autoscaler (KEDA), which allows workloads to be scaled using additional metrics sources other than pod metrics. This release builds upon updated compiler, runtime library, and base images for the purpose of resolving any potential security issues present in previous toolset versions.\n\nThis version makes use of newer tools and libraries to address the following issues:\ngolang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)\njose-go: improper handling of highly compressed data (CVE-2024-28180)\nopentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)\n\nIn addition, the following bug has been fixed:\nCustom metrics operator memory leak when invalid scaledObject is defined (prometheus scaler)\n\nThis release is based upon KEDA 2.12.1",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:1812",
        "url": "https://access.redhat.com/errata/RHSA-2024:1812"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-28180",
        "url": "https://access.redhat.com/security/cve/CVE-2024-28180"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2023-47108",
        "url": "https://access.redhat.com/security/cve/CVE-2023-47108"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2023-39326",
        "url": "https://access.redhat.com/security/cve/CVE-2023-39326"
      },
      {
        "category": "external",
        "summary": "2251198",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251198"
      },
      {
        "category": "external",
        "summary": "2253330",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253330"
      },
      {
        "category": "external",
        "summary": "2268854",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268854"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-25806",
        "url": "https://issues.redhat.com/browse/OCPBUGS-25806"
      },
      {
        "category": "external",
        "summary": "OCPBUGS-30145",
        "url": "https://issues.redhat.com/browse/OCPBUGS-30145"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1812.json"
      }
    ],
    "title": "Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.12.1-376 Bug Fixes",
    "tracking": {
      "current_release_date": "2024-11-14T00:27:53+00:00",
      "generator": {
        "date": "2024-11-14T00:27:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.0"
        }
      },
      "id": "RHSA-2024:1812",
      "initial_release_date": "2024-04-15T05:44:34+00:00",
      "revision_history": [
        {
          "date": "2024-04-15T05:44:34+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-04-15T05:44:34+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-14T00:27:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Custom Metrics Autoscaler 2",
                "product": {
                  "name": "OpenShift Custom Metrics Autoscaler 2",
                  "product_id": "8Base-OCMA-2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Custom Metrics Autoscaler"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8\u0026tag=2.12.1-376"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8\u0026tag=2.12.1-376"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8\u0026tag=2.12.1-376"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle\u0026tag=2.12.1-376"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
                "product": {
                  "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
                  "product_id": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da?arch=amd64\u0026repository_url=registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator\u0026tag=2.12.1-376"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64 as a component of OpenShift Custom Metrics Autoscaler 2",
          "product_id": "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
        },
        "product_reference": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64",
        "relates_to_product_reference": "8Base-OCMA-2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-39326",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-12-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2253330"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body (up to 1GiB), causing the receiver to fail reading the response, possibly leading to a Denial of Service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-39326"
        },
        {
          "category": "external",
          "summary": "RHBZ#2253330",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253330"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39326",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-39326"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39326",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39326"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2382",
          "url": "https://pkg.go.dev/vuln/GO-2023-2382"
        }
      ],
      "release_date": "2023-12-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-04-15T05:44:34+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1812"
        },
        {
          "category": "workaround",
          "details": "No mitigation is available for this flaw.",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests"
    },
    {
      "cve": "CVE-2023-47108",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2023-11-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2251198"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A memory exhaustion flaw was found in the otelgrpc handler of open-telemetry. This flaw may allow a remote unauthenticated attacker to flood the peer address and port and exhaust the server\u0027s memory by sending multiple malicious requests, affecting the availability of the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While no authentication is required, there are a significant number of non-default factors that prevent widespread exploitation of this issue. To affect a service, all of the following must be true:\n- The go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc package must be in use\n- Configured a metrics pipeline that uses the UnaryServerInterceptor wrapper function\n- No filtering of unknown HTTP methods or user agents at a higher level, such as Content Delivery Network\n\nDue to the limited attack surface, Red Hat Product Security rates the impact of this flaw as Moderate.\n\ncluster-network-operator-container in Openshift Container Platform 4 is rated as low and Won\u0027t Fix as the stats are behind an RBAC proxy and isn\u0027t available to unauthenticated users.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-47108"
        },
        {
          "category": "external",
          "summary": "RHBZ#2251198",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251198"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-47108",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-47108"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-47108",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47108"
        },
        {
          "category": "external",
          "summary": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
          "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw"
        }
      ],
      "release_date": "2023-11-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-04-15T05:44:34+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1812"
        },
        {
          "category": "workaround",
          "details": "As a workaround, use a view removing the attributes. Another possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider.",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics"
    },
    {
      "cve": "CVE-2024-28180",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2024-03-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2268854"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Jose due to improper handling of highly compressed data. This issue could allow an attacker to send a JWE containing compressed data that uses large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jose-go: improper handling of highly compressed data",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
          "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-28180"
        },
        {
          "category": "external",
          "summary": "RHBZ#2268854",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268854"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-28180",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-28180"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28180"
        },
        {
          "category": "external",
          "summary": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g",
          "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g"
        }
      ],
      "release_date": "2024-03-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-04-15T05:44:34+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1812"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel8@sha256:4dd04c7c5b5fb1aeb50ac9cd52cce2b7be8eb69bddf460e98ee97849fddb1756_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8@sha256:902b54fc0dad9ceefa86752585e37788c47ae08423109b8c572966a56e29de18_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle@sha256:0352167d7c1b00293d9e855c37339f52b3f445a3b388ba0e95e813c5e3a40ddc_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8-operator@sha256:4c2b8009baf3e0424a3504f9bc49fc9342608fcd350afb2fbff2c9568e5f68da_amd64",
            "8Base-OCMA-2:custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8@sha256:af913191f4a7273f29545f64012cea08e2c35296d4e3e3b10c8358feb4c425bd_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jose-go: improper handling of highly compressed data"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.