#kubernetes

Red Hat Security Advisory 2024-7590-03 - Red Hat OpenShift Container Platform release 4.12.67 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, open redirection, and out of bounds write vulnerabilities.

**What actions do customers need to take to protect themselves from this vulnerability?** Customers with Ubuntu Linux or Azure Linux based Azure Kubernetes Service (AKS) Node Pools using NVIDIA GPU driver configurations are affected by this vulnerability. Please see below for details on how to update your resources to be protected against this vulnerability. 1. Customers with Azure Linux based AKS Node Pool resources must manually install AKS Node image version 2024.1009.1 to be protected against this vulnerability by running the following CLI command: tdnf install https://packages.microsoft.com/cbl-mariner/2.0/prod/base/x86_64/Packages/n/nvidia-container-toolkit-1.16.2-1.cm2.x86_64.rpm **Note:** The AKS node image, version 20241009.1, will be deployed in November and contain this package by default. Customers can monitor the status of this deployment by using AKS Release Tracker. 2. Customers with Ubuntu Linux based AKS Node Pool resources must manually upgr...

Red Hat Security Advisory 2024-7791-03 - An update for podman is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

`JUJU_CONTEXT_ID` is the authentication measure on the unit hook tool abstract domain socket. It looks like `JUJU_CONTEXT_ID=appname/0-update-status-6073989428498739633`. This value looks fairly unpredictable, but due to the random source used, it is highly predictable. `JUJU_CONTEXT_ID` has the following components: - the application name - the unit number - the hook being currently run - a uint63 decimal number On a system the application name and unit number can be deduced by reading the structure of the filesystem. The current hook being run is not easily deduce-able, but is a limited set of possible values, so one could try them all. Finally the random number, this is generated from a non cryptographically secure random source. Specifically the random number generator built into the go standard library, using the current unix time in seconds (at startup) as the seed. There is no rate limiting on the abstract domain socket, the only limiting factor is time (window of time the h...

Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mh98-763h-m9v4. This link is maintained to preserve external references. ## Original Description JUJU_CONTEXT_ID is a predictable authentication secret. On a Juju machine (non-Kubernetes) or Juju charm container (on Kubernetes), an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU_CONTEXT_ID value. This gives the unprivileged user access to the same information and tools as the Juju charm.

Red Hat Security Advisory 2024-7443-03 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes. The updated image includes security and bug fixes.

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks

As Superman has kryptonite, software has weaknesses — with misconfigurations leading the pack.

Developers need to do more than scan code and vet software components, and ops should do more than just defend the deployment pipeline.