Synopsis
Important: Red Hat OpenShift GitOps security update
Type/Severity
Security Advisory: Important
Topic
An update is now available for Red Hat OpenShift GitOps 1.7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Security Fix(es):
- goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)
- go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents (CVE-2022-3064)
- ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets (CVE-2023-23947)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Red Hat OpenShift GitOps 1.7 x86_64
-
Red Hat OpenShift GitOps for IBM Power, little endian 1.7 ppc64le
-
Red Hat OpenShift GitOps for IBM Z and LinuxONE 1.7 s390x
Fixes
-
BZ - 2156729
- CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
-
BZ - 2163037
- CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents
-
BZ - 2167819
- CVE-2023-23947 ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets