CBL Mariner 2.0 Security Update: containerd / cri-tools / docker-buildx / docker-compose / moby-containerd-cc (CVE-2023-47108)

The version of containerd / cri-tools / docker-buildx / docker-compose / moby-containerd-cc installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-47108 advisory. - OpenTelemetry-Go Contrib is a collecti...

CBL Mariner 2.0 Security Update: cri-tools / docker-buildx / kubernetes / opa / prometheus (CVE-2023-45142)

The version of cri-tools / docker-buildx / kubernetes / opa / prometheus installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-45142 advisory. - OpenTelemetry-Go Contrib is a collection of third-party...

RHEL 8 : opentelemetry-go-contrib (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics CVE-2023-47108 Note that...

Fedora 40 : caddy (2024-19d093c14d)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-19d093c14d advisory. Automatic update for caddy-2.7.6-1.fc40. Changelog Fri Feb 9 2024 Carl George - 2.7.6-1 - Update to version 2.7.6 rhbz2253698 - Includes fix for CVE-2023-451...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.15.5 bug fix and security update

Red Hat OpenShift Container Platform release 4.15.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.15. Red Hat Product Security has rated this update as having a...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to denial of service due to OpenTelemetry go module ( CVE-2023-45142, CVE-2023-47108 )

Summary OpenTelemetry go module is used by IBM Cloud Pak for Data Scheduling as part of the scheduler binaries. CVE-2023-45142, CVE-2023-47108. Vulnerability Details CVEID:CVE-2023-45142 DESCRIPTION: OpenTelemetry OpenTelemetry-Go Contrib is vulnerable to a denial of service, caused by an unbound...

Fedora 39 : caddy (2024-22b915e51a)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-22b915e51a advisory. Update to the latest upstream version, which includes a fix for CVE-2023-45142. https://github.com/caddyserver/caddy/releases/tag/v2.7.6 Tenable has extracte...

Amazon Linux 2 : containerd (ALASDOCKER-2024-037)

The version of containerd installed on the remote host is prior to 1.7.11-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2024-037 advisory. 2024-02-15: CVE-2023-39326 was added to this advisory. 2024-02-15: CVE-2023-47108 was added to this advisory. The...

Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2024-037)

The version of containerd installed on the remote host is prior to 1.7.11-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2024-037 advisory. 2024-02-15: CVE-2023-39326 was added to this advisory. 2024-02-15: CVE-2023-47108 was added to this...

Amazon Linux 2 : cri-tools (ALAS-2024-2446)

The version of cri-tools installed on the remote host is prior to 1.29.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2446 advisory. A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read ma...

Important: cri-tools

Issue Overview: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of da...

RHCOS 4 : OpenShift Container Platform 4.12.48 (RHSA-2024:0489)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:0489 advisory. - opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics CVE-2023-47108 Note that Nessus has not tested f...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from go-yaml, OpenSSL, GnuTLS , OpenTelemetry-Go, go-toolset and urllib3

Summary OpenSSL, go-yaml, GnuTLS , OpenTelemetry-Go and urllib3 are consumed through RedHat UBI, go-toolset and OSE packages. These packages are shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. Vulnerability Details CVEID:CVE-2022-28948 DESCRIPTION: Go-Yaml is vulnerabl...

Moderate: Red Hat Security Advisory: OpenShift Container Platform 4.13.30 security update

Red Hat OpenShift Container Platform release 4.13.30 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a...

RHCOS 4 : OpenShift Container Platform 4.14.9 (RHSA-2024:0207)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:0207 advisory. - cri-o: Pods are able to break out of resource confinement on cgroupv2 CVE-2023-6476 - opentelemetry-go-contrib: DoS vulnerability ...

Amazon Linux 2023 : amazon-cloudwatch-agent (ALAS2023-2024-498)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-498 advisory. 2024-02-29: CVE-2023-47108 was added to this advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as...

Amazon Linux 2 : amazon-cloudwatch-agent (ALAS-2024-2424)

The version of amazon-cloudwatch-agent installed on the remote host is prior to 1.300032.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2424 advisory. 2024-02-29: CVE-2023-47108 was added to this advisory. The HTTP/2 protocol allows a denial of service...

Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2024-499)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-499 advisory. 2024-08-09: CVE-2023-47108 was removed from this advisory. 2024-08-09: The severity of this advisory has been changed from Important to Medium.2024-04-10: CVE-2023-39326 was added to this advisory...

Important: amazon-cloudwatch-agent

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 A malicious HTTP sender can use chunk extensions to cause a receiver...

Important: amazon-cloudwatch-agent

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 A malicious HTTP sender can use chunk extensions to cause a receiver...