9VSA22-00624-01 CSIRT alerta ante vulnerabilidades en productos de Red Hat
El CSIRT de Gobierno, comparte información sobre nuevas vulnerabilidades y actualizaciones de seguridad de Red Hat.
Resumen
El Equipo de Respuesta ante Incidentes de Seguridad Informática del Gobierno de Chile, CSIRT de Gobierno, comparte información sobre nuevas vulnerabilidades y actualizaciones de seguridad de Red Hat.
Este informe incluye las medidas de mitigación, consistentes en instalar la última actualización de los productos afectados.
Vulnerabilidades
CVE-2022-29599
CVE-2021-44716
CVE-2022-21426
CVE-2022-21434
CVE-2022-21443
CVE-2022-21476
CVE-2022-21496
CVE-2021-4083
CVE-2022-0492
CVE-2022-25636
CVE-2021-4083
CVE-2022-0492
CVE-2022-21426
CVE-2022-21434
CVE-2022-21443
CVE-2022-21476
CVE-2022-21496
CVE-2022-25636
CVE-2022-22965
CVE-2021-4028
CVE-2021-4083
CVE-2021-20288
CVE-2021-43859
CVE-2021-45960
CVE-2021-46143
CVE-2022-0778
CVE-2022-22720
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-22825
CVE-2022-22826
CVE-2022-22827
CVE-2022-23852
CVE-2022-25173
CVE-2022-25174
CVE-2022-25175
CVE-2022-25176
CVE-2022-25177
CVE-2022-25178
CVE-2022-25179
CVE-2022-25180
CVE-2022-25181
CVE-2022-25182
CVE-2022-25183
CVE-2022-25184
CVE-2022-25235
CVE-2022-25236
CVE-2022-25315
CVE-2022-0435
CVE-2022-0852
Impacto
Vulnerabilidades críticas:
CVE-2022-29599: Inyección de comandos via Commandline.
CVE-2021-44716: Error de consumo de recursos descontrolados en la biblioteca net/http de golang en la función canonicalHeader(). Su explotación puede llevar a denegación de servicio.
CVE-2022-25315: Un error en expat puede llevar a ejecución remota de código.
CVE-2022-25235: Un error en expat puede llevar a ejecución remota de código.
CVE-2022-25236: Un error en expat puede llevar a ejecución remota de código.
CVE-2022-22822: Un error en expat (libexpat) causa interrupción de procesos, y de ser explotado arriesgar la confidencialidad e integridad de los datos del sistema afectado.
CVE-2022-22823: Un error en expat (libexpat) causa interrupción de procesos, y de ser explotado arriesgar la confidencialidad e integridad de los datos del sistema afectado.
CVE-2022-22824: Un error en expat (libexpat) causa interrupción de procesos, y de ser explotado arriesgar la confidencialidad, disponibilidad e integridad de los datos del sistema afectado.
CVE-2022-23852: Un error en expat (libexpat) causa interrupción de procesos, y de ser explotado arriesgar la confidencialidad, disponibilidad e integridad de los datos del sistema afectado.
Productos afectados
Red Hat Enterprise Linux for Power, little endian: 7
Red Hat Enterprise Linux for Power, big endian: 7
Red Hat Enterprise Linux for IBM z Systems: 7
Red Hat Enterprise Linux for Scientific Computing: 7
Red Hat Enterprise Linux Desktop: 7
Red Hat Enterprise Linux Workstation: 7
Red Hat Enterprise Linux Server: 7
Red Hat Gluster Storage Web Administration (for RHEL Server) 3.1 x86_64
Red Hat OpenShift Container Platform 3.11 x86_64
Red Hat OpenShift Container Platform for Power 3.11 ppc64le
Red Hat OpenShift Container Platform 3.10 x86_64
Red Hat OpenShift Container Platform 3.9 x86_64
Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x
Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x
Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
Red Hat Gluster Storage Web Administration (for RHEL Server) 3.1 x86_64
Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1 ppc64le
Red Hat Enterprise Linux Server for x86_64 - Update Services for SAP Solutions 8.1 x86_64
Convert2RHEL 6 x86_64
Convert2RHEL 7 x86_64
Mitigación
Instalar las respectivas actualizaciones entregadas por el proveedor.
Enlaces
https://access.redhat.com/security/cve/CVE-2022-29599
https://access.redhat.com/errata/RHSA-2022:1541
https://access.redhat.com/errata/RHBA-2022:1630
https://access.redhat.com/errata/RHBA-2022:1429
https://access.redhat.com/errata/RHBA-2022:1633
https://access.redhat.com/errata/RHSA-2022:1627
https://access.redhat.com/errata/RHSA-2022:1626
https://access.redhat.com/errata/RHBA-2022:1421
https://access.redhat.com/errata/RHSA-2022:1420
https://access.redhat.com/errata/RHSA-2022:1619
https://access.redhat.com/errata/RHSA-2022:1618
https://access.redhat.com/errata/RHSA-2022:1617
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21496
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21496
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4028
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25315
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0852
Informe
El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA22-00624-01.