Fedora 40 : caddy (2024-19d093c14d)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-19d093c14d advisory. Automatic update for caddy-2.7.6-1.fc40. Changelog Fri Feb 9 2024 Carl George - 2.7.6-1 - Update to version 2.7.6 rhbz2253698 - Includes fix for CVE-2023-451...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.15.5 bug fix and security update

Red Hat OpenShift Container Platform release 4.15.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.15. Red Hat Product Security has rated this update as having a...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to denial of service due to OpenTelemetry go module ( CVE-2023-45142, CVE-2023-47108 )

Summary OpenTelemetry go module is used by IBM Cloud Pak for Data Scheduling as part of the scheduler binaries. CVE-2023-45142, CVE-2023-47108. Vulnerability Details CVEID:CVE-2023-45142 DESCRIPTION: OpenTelemetry OpenTelemetry-Go Contrib is vulnerable to a denial of service, caused by an unbound...

Fedora 39 : caddy (2024-22b915e51a)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-22b915e51a advisory. Update to the latest upstream version, which includes a fix for CVE-2023-45142. https://github.com/caddyserver/caddy/releases/tag/v2.7.6 Tenable has extracte...

Amazon Linux 2 : containerd (ALASDOCKER-2024-037)

The version of containerd installed on the remote host is prior to 1.7.11-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2024-037 advisory. 2024-02-15: CVE-2023-39326 was added to this advisory. 2024-02-15: CVE-2023-47108 was added to this advisory. The...

Amazon Linux 2 : cri-tools (ALAS-2024-2446)

The version of cri-tools installed on the remote host is prior to 1.29.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2446 advisory. A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read ma...

Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2024-037)

The version of containerd installed on the remote host is prior to 1.7.11-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2024-037 advisory. 2024-02-15: CVE-2023-39326 was added to this advisory. 2024-02-15: CVE-2023-47108 was added to this...

Important: cri-tools

Issue Overview: A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of da...

RHCOS 4 : OpenShift Container Platform 4.12.48 (RHSA-2024:0489)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:0489 advisory. - opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics CVE-2023-47108 Note that Nessus has not tested f...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from go-yaml, OpenSSL, GnuTLS , OpenTelemetry-Go, go-toolset and urllib3

Summary OpenSSL, go-yaml, GnuTLS , OpenTelemetry-Go and urllib3 are consumed through RedHat UBI, go-toolset and OSE packages. These packages are shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. Vulnerability Details CVEID:CVE-2022-28948 DESCRIPTION: Go-Yaml is vulnerabl...

Moderate: Red Hat Security Advisory: OpenShift Container Platform 4.13.30 security update

Red Hat OpenShift Container Platform release 4.13.30 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a...

RHCOS 4 : OpenShift Container Platform 4.14.9 (RHSA-2024:0207)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:0207 advisory. - cri-o: Pods are able to break out of resource confinement on cgroupv2 CVE-2023-6476 - opentelemetry-go-contrib: DoS vulnerability ...

Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2024-499)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-499 advisory. 2024-08-09: CVE-2023-47108 was removed from this advisory. 2024-08-09: The severity of this advisory has been changed from Important to Medium.2024-04-10: CVE-2023-39326 was added to this advisory...

Amazon Linux 2023 : amazon-cloudwatch-agent (ALAS2023-2024-498)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-498 advisory. 2024-02-29: CVE-2023-47108 was added to this advisory. The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as...

Amazon Linux 2 : amazon-cloudwatch-agent (ALAS-2024-2424)

The version of amazon-cloudwatch-agent installed on the remote host is prior to 1.300032.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2424 advisory. 2024-02-29: CVE-2023-47108 was added to this advisory. The HTTP/2 protocol allows a denial of service...

Important: amazon-cloudwatch-agent

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 A malicious HTTP sender can use chunk extensions to cause a receiver...

Important: amazon-cloudwatch-agent

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 A malicious HTTP sender can use chunk extensions to cause a receiver...

RHEL 8 / 9 : OpenShift Container Platform 4.14.9 (RHSA-2024:0207)

The remote Redhat Enterprise Linux 8 / 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:0207 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

K000138255: Go OpenTelemetry Contrib vulnerability CVE-2023-47108

Security Advisory Description OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the...

otelgrpc DoS vulnerability due to unbound cardinality metrics

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustio...