What is the severity of RHSA-2023:0408?

The severity of RHSA-2023:0408 is classified based on the specific vulnerabilities addressed, generally indicating a moderate to high risk depending on the context in which OpenShift Virtualization is deployed.

How do I fix RHSA-2023:0408?

To fix RHSA-2023:0408, apply the recommended updates and patches for OpenShift Virtualization as specified in the advisory.

What software components are affected by RHSA-2023:0408?

RHSA-2023:0408 affects the OpenShift Virtualization 4.12.0 images in Red Hat OpenShift Container Platform.

What vulnerabilities are addressed in RHSA-2023:0408?

RHSA-2023:0408 addresses vulnerabilities in the golang net/http package that could lead to security issues.

Is RHSA-2023:0408 applicable to all OpenShift users?

RHSA-2023:0408 is specifically applicable to users of OpenShift Virtualization 4.12.0, and its relevance may vary based on the version in use.

Vulnerability/
RHSA-2023:0408

24/1/2023

RHSA-2023:0408: Important: OpenShift Virtualization 4.12.0 Images security update

First published: Tue Jan 24 2023(Updated: )

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.12.0 images: Security Fix(es): <li> golang: net/<a href="http:" target="_blank">http:</a> limit growth of header canonicalization cache (CVE-2021-44716)</li> <li> kubeVirt: Arbitrary file read on the host from KubeVirt VMs (CVE-2022-1798)</li> <li> golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)</li> <li> golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)</li> <li> golang: net/<a href="http:" target="_blank">http:</a> improper sanitization of Transfer-Encoding header (CVE-2022-1705)</li> <li> golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)</li> <li> golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772)</li> <li> golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773)</li> <li> golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806)</li> <li> golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)</li> <li> golang: syscall: faccessat checks wrong group (CVE-2022-29526)</li> <li> golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)</li> <li> golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)</li> <li> golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)</li> <li> golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)</li> <li> golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)</li> <li> golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)</li> <li> golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. RHEL-8-CNV-4.12 ============== bridge-marker-container-v4.12.0-24 cluster-network-addons-operator-container-v4.12.0-24 cnv-containernetworking-plugins-container-v4.12.0-24 cnv-must-gather-container-v4.12.0-58 hco-bundle-registry-container-v4.12.0-769 hostpath-csi-driver-container-v4.12.0-30 hostpath-provisioner-container-v4.12.0-30 hostpath-provisioner-operator-container-v4.12.0-31 hyperconverged-cluster-operator-container-v4.12.0-96 hyperconverged-cluster-webhook-container-v4.12.0-96 kubemacpool-container-v4.12.0-24 kubevirt-console-plugin-container-v4.12.0-182 kubevirt-ssp-operator-container-v4.12.0-64 kubevirt-tekton-tasks-cleanup-vm-container-v4.12.0-55 kubevirt-tekton-tasks-copy-template-container-v4.12.0-55 kubevirt-tekton-tasks-create-datavolume-container-v4.12.0-55 kubevirt-tekton-tasks-create-vm-from-template-container-v4.12.0-55 kubevirt-tekton-tasks-disk-virt-customize-container-v4.12.0-55 kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.12.0-55 kubevirt-tekton-tasks-modify-vm-template-container-v4.12.0-55 kubevirt-tekton-tasks-operator-container-v4.12.0-40 kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.12.0-55 kubevirt-template-validator-container-v4.12.0-32 libguestfs-tools-container-v4.12.0-255 ovs-cni-marker-container-v4.12.0-24 ovs-cni-plugin-container-v4.12.0-24 virt-api-container-v4.12.0-255 virt-artifacts-server-container-v4.12.0-255 virt-cdi-apiserver-container-v4.12.0-72 virt-cdi-cloner-container-v4.12.0-72 virt-cdi-controller-container-v4.12.0-72 virt-cdi-importer-container-v4.12.0-72 virt-cdi-operator-container-v4.12.0-72 virt-cdi-uploadproxy-container-v4.12.0-71 virt-cdi-uploadserver-container-v4.12.0-72 virt-controller-container-v4.12.0-255 virt-exportproxy-container-v4.12.0-255 virt-exportserver-container-v4.12.0-255 virt-handler-container-v4.12.0-255 virt-launcher-container-v4.12.0-255 virt-operator-container-v4.12.0-255 virtio-win-container-v4.12.0-10 vm-network-latency-checkup-container-v4.12.0-89

Affected Software	Affected Version	How to fix
Red Hat OpenShift Virtualization

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of RHSA-2023:0408?
The severity of RHSA-2023:0408 is classified based on the specific vulnerabilities addressed, generally indicating a moderate to high risk depending on the context in which OpenShift Virtualization is deployed.
How do I fix RHSA-2023:0408?
To fix RHSA-2023:0408, apply the recommended updates and patches for OpenShift Virtualization as specified in the advisory.
What software components are affected by RHSA-2023:0408?
RHSA-2023:0408 affects the OpenShift Virtualization 4.12.0 images in Red Hat OpenShift Container Platform.
What vulnerabilities are addressed in RHSA-2023:0408?
RHSA-2023:0408 addresses vulnerabilities in the golang net/http package that could lead to security issues.
Is RHSA-2023:0408 applicable to all OpenShift users?
RHSA-2023:0408 is specifically applicable to users of OpenShift Virtualization 4.12.0, and its relevance may vary based on the version in use.

agent/severity
collector/redhat-errata
source/Red Hat
anchor-id/RHSA-2023:0408
agent/type
agent/last-modified-date
agent/references
agent/first-publish-date
agent/event
agent/remedy
agent/title
agent/description
agent/trending
agent/source
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/red hat
canonical/red hat openshift virtualization