Red Hat Security Advisory 2023-6154-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.2.0. Issues addressed include a denial of service vulnerability.
a1b8ec594719d6cd2560237e911ffeb2faf21a86e517fdfd06afd2303e08fe8e
The following data is constructed from data provided by Red Hat's json file at:
https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6154.json
Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.
- Packet Storm Staff
====================================================================
Red Hat Security Advisory
Synopsis: Important: Secondary Scheduler Operator for Red Hat OpenShift 1.2.0
Advisory ID: RHSA-2023:6154-01
Product: Openshift Secondary Scheduler Operator
Advisory URL: https://access.redhat.com/errata/RHSA-2023:6154
Issue date: 2023-11-01
Revision: 01
CVE Names: CVE-2023-39318
====================================================================
Summary:
Secondary Scheduler Operator for Red Hat OpenShift 1.2.0
Description:
The Secondary Scheduler Operator for Red Hat OpenShift is an optional
operator that makes it possible to deploy a secondary scheduler by
providing a scheduler image. You can run a scheduler with custom
plugins without applying additional manifests, such as cluster roles
and deployments.
Security Fix(es):
* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325)
* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)
* golang: html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318)
* golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)
* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)
* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)
Solution:
https://access.redhat.com/articles/11258
CVEs:
CVE-2023-39318
References:
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003