Security update for kubernetes1.23

Announcement ID:	SUSE-SU-2024:3341-1
Rating:	important
References:	bsc#1062303 bsc#1194400 bsc#1211630 bsc#1211631 bsc#1214406 bsc#1216109 bsc#1216123 bsc#1219964 bsc#1221400 bsc#1222539 bsc#1226136 bsc#1229858 bsc#1229867 bsc#1229869 bsc#1230323
Cross-References:	CVE-2021-25743 CVE-2023-2727 CVE-2023-2728 CVE-2023-39325 CVE-2023-44487 CVE-2023-45288 CVE-2024-0793 CVE-2024-24786 CVE-2024-3177
CVSS scores:	CVE-2021-25743 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-25743 ( NVD ): 3.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N CVE-2023-2727 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVE-2023-2727 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVE-2023-2728 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVE-2023-2728 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVE-2023-39325 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-39325 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-44487 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-44487 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-45288 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-0793 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2024-24786 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-3177 ( SUSE ): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2024-3177 ( NVD ): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Affected Products:	openSUSE Leap 15.4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4

An update that solves nine vulnerabilities and has six security fixes can now be installed.

Description:

This update for kubernetes1.23 fixes the following issues:

• CVE-2021-25743: escape, meta and control sequences in raw data output to terminal not neutralized. (bsc#1194400)
• CVE-2023-2727: bypass of policies imposed by the ImagePolicyWebhook admission plugin. (bsc#1211630)
• CVE-2023-2728: bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. (bsc#1211631)
• CVE-2023-39325: go1.20: excessive resource consumption when dealing with rapid stream resets. (bsc#1229869)
• CVE-2023-44487: google.golang.org/grpc, kube-apiserver: HTTP/2 rapid reset vulnerability. (bsc#1229869)
• CVE-2023-45288: golang.org/x/net: excessive CPU consumption when processing unlimited sets of headers. (bsc#1229869)
• CVE-2024-0793: kube-controller-manager pod crash when processing malformed HPA v1 manifests. (bsc#1219964)
• CVE-2024-3177: bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. (bsc#1222539)
• CVE-2024-24786: github.com/golang/protobuf: infinite loop when unmarshaling invalid JSON. (bsc#1229867)

Bug fixes:

• Use -trimpath in non-DBG mode for reproducible builds. (bsc#1062303)
• Fix multiple issues for successful kubeadm init run. (bsc#1214406)
• Update go to version 1.22.5 in build requirements. (bsc#1229858)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch SUSE-2024-3341=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-3341=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-3341=1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-3341=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-3341=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • kubernetes1.24-kubelet-common-1.24.17-150400.9.16.1
  • kubernetes1.24-kubelet-1.24.17-150400.9.16.1
  • kubernetes1.24-scheduler-1.24.17-150400.9.16.1
  • kubernetes1.24-client-common-1.24.17-150400.9.16.1
  • kubernetes1.24-controller-manager-1.24.17-150400.9.16.1
  • kubernetes1.24-apiserver-1.24.17-150400.9.16.1
  • kubernetes1.24-proxy-1.24.17-150400.9.16.1
  • kubernetes1.24-kubeadm-1.24.17-150400.9.16.1
  • kubernetes1.24-client-1.24.17-150400.9.16.1
• openSUSE Leap 15.4 (noarch)
  • kubernetes1.24-client-bash-completion-1.24.17-150400.9.16.1
  • kubernetes1.24-client-fish-completion-1.24.17-150400.9.16.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
  • kubernetes1.24-client-common-1.24.17-150400.9.16.1
  • kubernetes1.24-client-1.24.17-150400.9.16.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
  • kubernetes1.24-client-common-1.24.17-150400.9.16.1
  • kubernetes1.24-client-1.24.17-150400.9.16.1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64)
  • kubernetes1.24-client-common-1.24.17-150400.9.16.1
  • kubernetes1.24-client-1.24.17-150400.9.16.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
  • kubernetes1.24-client-common-1.24.17-150400.9.16.1
  • kubernetes1.24-client-1.24.17-150400.9.16.1

References:

• https://www.suse.com/security/cve/CVE-2021-25743.html
• https://www.suse.com/security/cve/CVE-2023-2727.html
• https://www.suse.com/security/cve/CVE-2023-2728.html
• https://www.suse.com/security/cve/CVE-2023-39325.html
• https://www.suse.com/security/cve/CVE-2023-44487.html
• https://www.suse.com/security/cve/CVE-2023-45288.html
• https://www.suse.com/security/cve/CVE-2024-0793.html
• https://www.suse.com/security/cve/CVE-2024-24786.html
• https://www.suse.com/security/cve/CVE-2024-3177.html
• https://bugzilla.suse.com/show_bug.cgi?id=1062303
• https://bugzilla.suse.com/show_bug.cgi?id=1194400
• https://bugzilla.suse.com/show_bug.cgi?id=1211630
• https://bugzilla.suse.com/show_bug.cgi?id=1211631
• https://bugzilla.suse.com/show_bug.cgi?id=1214406
• https://bugzilla.suse.com/show_bug.cgi?id=1216109
• https://bugzilla.suse.com/show_bug.cgi?id=1216123
• https://bugzilla.suse.com/show_bug.cgi?id=1219964
• https://bugzilla.suse.com/show_bug.cgi?id=1221400
• https://bugzilla.suse.com/show_bug.cgi?id=1222539
• https://bugzilla.suse.com/show_bug.cgi?id=1226136
• https://bugzilla.suse.com/show_bug.cgi?id=1229858
• https://bugzilla.suse.com/show_bug.cgi?id=1229867
• https://bugzilla.suse.com/show_bug.cgi?id=1229869
• https://bugzilla.suse.com/show_bug.cgi?id=1230323