Przemyslaw Roguski

**Name of the Vulnerable Software and Affected Versions** origin-aggregated-logging versions 3.11 **Description** A flaw was found in the original fix for the netty-codec-http issue, where the OpenShift Logging openshift-logging/elasticsearch6-rhel8 container was incomplete, and the vulnerable netty-codec-http maven package was not removed from the image content. **Recommendations** For origin-aggregated-logging version 3.11, ensure the vulnerable netty-codec-http maven package is removed from the image content to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** mig-controller (affected versions not specified) **Description** An incorrect default permissions issue was found in the mig-controller, related to incorrect cluster namespaces handling. This could allow an attacker to migrate a malicious workload to the target cluster, affecting the confidentiality, integrity, and availability of services on that cluster. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift versions prior to 4.8 **Description** The issue is related to the generated certificate for the in-cluster Service CA in OpenShift, which incorrectly includes additional certificates. This allows an attacker that compromises any of the additional CAs to masquerade as a trusted in-cluster service. The Service CA is automatically mounted into all pods, enabling them to connect to trusted in-cluster services that present certificates signed by the trusted Service CA. **Recommendations** For versions prior to 4.8, update to version 4.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Service CA to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: OVN Kubernetes versions up to and including 0.3.0 Description: A vulnerability was found in OVN Kubernetes where the Egress Firewall does not reliably apply firewall rules when there are multiple DNS rules. This could lead to a potential loss of confidentiality, integrity, or availability of a service. Recommendations: For OVN Kubernetes versions up to and including 0.3.0, consider restricting the use of multiple DNS rules in the Egress Firewall until a patch is available. As a temporary workaround, review and manually apply firewall rules to ensure service confidentiality, integrity, and availability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CRI-O versions 1.18 and earlier **Description** An incorrect sysctls validation issue was found, allowing an attacker to apply sysctls from the list of "safe" sysctls specified for the cluster to the host if they can create a pod with a hostIPC and hostNetwork kernel namespace. **Recommendations** For CRI-O versions 1.18 and earlier, as a temporary workaround, consider restricting the creation of pods with hostIPC and hostNetwork kernel namespace to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.