container-tools:4.0 security and bug fix update

buildah 1:1.24.6-7 - rebuild for CVE-2023-29406 - Related: 2176055 1:1.24.6-6 - rebuild for following CVEs: CVE-2022-41724 CVE-2022-41725 CVE-2023-24538 CVE-2023-24534 CVE-2023-24536 CVE-2022-41723 CVE-2023-24539 CVE-2023-24540 CVE-2023-29400 - Resolves: 2179943 - Resolves: 2187341 - Resolves:...

Rocky Linux 9 : kernel-rt (RLSA-2022:7319)

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7319 advisory. - The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACESEIZE code path allows attackers to bypass intended restrictions on setting t...

Rocky Linux 9 : kernel (RLSA-2022:7318)

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7318 advisory. - The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACESEIZE code path allows attackers to bypass intended restrictions on setting t...

container-tools:rhel8 bug fix and enhancement update

An update is available for libslirp, module.buildah, module.crun, buildah, fuse-overlayfs, udica, module.oci-seccomp-bpf-hook, module.netavark, module.runc, conmon, module.containers-common, python-podman, module.libslirp, module.aardvark-dns, module.fuse-overlayfs, runc, criu, aardvark-dns,...

kernel: seccomp: Move copy_seccomp() to no failure path

A memory leak flaw was found in the Linux kernel's seccomp subsystem. When a process using seccomp filters is interrupted by a fatal signal during clone, the seccompfilter structure and associated BPF program memory are not properly freed. This occurs because copyseccomp is called before the...

container-tools:rhel8 bug fix and enhancement update

An update is available for libslirp, module.buildah, module.crun, buildah, fuse-overlayfs, udica, module.oci-seccomp-bpf-hook, module.netavark, module.runc, conmon, module.containers-common, python-podman, module.libslirp, module.aardvark-dns, module.fuse-overlayfs, runc, criu, aardvark-dns,...

The vulnerability of the online business analytics service IBM Cognos Analytics, which is part of the IBM Cloud Pak for Data (CP4D) cloud platform for data analysis, organization, and management, allows a perpetrator to influence the integrity of protected information.

The vulnerability of the online business analytics service IBM Cognos Analytics, which is part of the IBM Cloud Pak for Data CP4D platform for data analysis, organization, and management, relates to insufficient protection of operational data during the processing of the seccomp parameter...

Security Bulletin: IBM Cloud Kubernetes Service is affected by a kubelet security vulnerability (CVE-2023-2431)

Summary IBM Cloud Kubernetes Service is affected by a security vulnerability in the kubelet that allows pods to bypass the seccomp profile enforcement CVE-2023-2431 Vulnerability Details CVEID: CVE-2023-2431 Description: Kubernetes could allow a local authenticated attacker to bypass security...

OESA-2023-1414 kubernetes security update

Container cluster management. Security Fixes: Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are...

OESA-2023-1413 kubernetes security update

Container cluster management. Security Fixes: Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are...

OESA-2023-1416 kubernetes security update

Container cluster management. Security Fixes: Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are...

OESA-2023-1415 kubernetes security update

Container cluster management. Security Fixes: Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are...

CVE-2023-2431

A flaw was found in Kubernetes. This issue occurs when Kubernetes allows a local authenticated attacker to bypass security restrictions, caused by a flaw when using the localhost type for a seccomp profile but specifying an empty profile field. An attacker can bypass the seccomp profile enforceme...

Fedora 37 : kubernetes (2023-a1d7a29fe5)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-a1d7a29fe5 advisory. Patch update to Kubernetes 1.25 for Fedora 37. Primarily a security fix for CVE-2023-2431: Bypass of seccomp profile enforcement. Tenable has...

SUSE SLES15 / openSUSE 15 Security Update : kubernetes1.23 (SUSE-SU-2023:2691-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:2691-1 advisory. - A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localho...

SUSE-SU-2023:2691-1 Security update for kubernetes1.23

This update for kubernetes1.23 fixes the following issues: - CVE-2023-2431: Fixed a bypass issue of seccomp profile enforcement bsc1212493...

Fedora 38 : kubernetes (2023-c7f63322b5)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-c7f63322b5 advisory. Upstream security update with additional bugfixes. Resolves CVE-2023-2431. Tenable has extracted the preceding description block directly from the...

Profile Enforcement Bypass

k8s.io/kubernetes is vulnerable to Profile Enforcement Bypass. The vulnerability exists because the library does not properly define the seccomp type for the local host, which allows an attacker to bypass the seccomp profile enforcement by passing an empty profile...

SUSE CVE-2023-2431

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined seccomp...

GHSA-XC8M-28VV-4PJC Kubelet vulnerable to bypass of seccomp profile enforcement

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined seccomp...