Security notes

In the Container Cloud patch release 2.23.5, 70 vendor-specific Common Vulnerabilities and Exposures (CVE) have been addressed: 7 of critical and 63 of high severity.

The full list of the CVEs present in the current Container Cloud release is available at the Mirantis Security Portal.

Addressed CVEs

Image

Component name

CVE

bm/baremetal-dnsmasq

curl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

libcurl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

libcap2

CVE-2023-2603 (High)

ncurses-libs

CVE-2023-29491 (High)

ncurses-terminfo-base

CVE-2023-29491 (High)

bm/baremetal-operator

openssh-client-common

CVE-2023-28531 (Critical)

openssh-client-default

CVE-2023-28531 (Critical)

openssh-keygen

CVE-2023-28531 (Critical)

ncurses-libs

CVE-2023-29491 (High)

ncurses-terminfo-base

CVE-2023-29491 (High)

core/external/nginx

libwebp

CVE-2023-1999 (Critical)

curl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

libcurl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

core/frontend

libwebp

CVE-2023-1999 (Critical)

curl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

libcurl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

openstack/ironic

sqlparse

CVE-2023-30608 (High)

openstack/ironic-inspector

Flask

CVE-2023-30861 (High)

sqlparse

CVE-2023-30608 (High)

stacklight/alerta-web

libcurl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

libpq

CVE-2023-2454 (High)

postgresql15-client

CVE-2023-2454 (High)

Flask

CVE-2023-30861 (High)

ncurses-libs

CVE-2023-29491 (High)

ncurses-terminfo-base

CVE-2023-29491 (High)

stacklight/alertmanager-webhook-servicenow

ncurses-libs

CVE-2023-29491 (High)

ncurses-terminfo-base

CVE-2023-29491 (High)

stacklight/alpine-utils

curl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

libcurl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

stacklight/opensearch

org.apache.santuario:xmlsec

CVE-2022-47966 (Critical)

CVE-2022-21476 (High)

org.slf4j:slf4j-api

CVE-2018-8088 (Critical)

glib2

CVE-2018-16428 (High)

CVE-2018-16429 (High)

stacklight/opensearch-dashboards

glib2

CVE-2018-16428 (High)

CVE-2018-16429 (High)

stacklight/pgbouncer

libpq

CVE-2023-2454 (High)

postgresql-client

CVE-2023-2454 (High)

stacklight/prometheus-libvirt-exporter

libcurl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

stacklight/prometheus-patroni-exporter

ncurses-libs

CVE-2023-29491 (High)

ncurses-terminfo-base

CVE-2023-29491 (High)

stacklight/sf-notifier

flask

CVE-2023-30861 (High)

stacklight/stacklight-toolkit

curl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

libcurl

CVE-2023-28319 (High)

CVE-2023-28321 (High)

CVE-2023-28322 (High)

stacklight/telegraf

github.com/docker/docker

CVE-2023-28840 (High)

CVE-2023-28840 (High)