RHSA-2026:3228
Vulnerability from csaf_redhat - Published: 2026-02-24 17:03 - Updated: 2026-02-24 17:07Summary
Red Hat Security Advisory: Cost Management Metrics Operator Update
Notes
Topic
Cost Management Metrics Operator version 4.3.1 release.
Details
The Cost Management Metrics Operator is a component of the Red Hat Cost Managment service for Openshift.
The operator runs on the latest supported versions of Openshift.
This operator obtains OpenShift usage data by querying Prometheus every hour to create metric reports
that it uploads to Cost Management at console.redhat.com.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Cost Management Metrics Operator version 4.3.1 release.",
"title": "Topic"
},
{
"category": "general",
"text": "The Cost Management Metrics Operator is a component of the Red Hat Cost Managment service for Openshift.\nThe operator runs on the latest supported versions of Openshift.\nThis operator obtains OpenShift usage data by querying Prometheus every hour to create metric reports\nthat it uploads to Cost Management at console.redhat.com.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:3228",
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-11187",
"url": "https://access.redhat.com/security/cve/CVE-2025-11187"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-15281",
"url": "https://access.redhat.com/security/cve/CVE-2025-15281"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-15467",
"url": "https://access.redhat.com/security/cve/CVE-2025-15467"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-15468",
"url": "https://access.redhat.com/security/cve/CVE-2025-15468"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-15469",
"url": "https://access.redhat.com/security/cve/CVE-2025-15469"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66199",
"url": "https://access.redhat.com/security/cve/CVE-2025-66199"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-68160",
"url": "https://access.redhat.com/security/cve/CVE-2025-68160"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-69418",
"url": "https://access.redhat.com/security/cve/CVE-2025-69418"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-69419",
"url": "https://access.redhat.com/security/cve/CVE-2025-69419"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-69420",
"url": "https://access.redhat.com/security/cve/CVE-2025-69420"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-69421",
"url": "https://access.redhat.com/security/cve/CVE-2025-69421"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-0861",
"url": "https://access.redhat.com/security/cve/CVE-2026-0861"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-0915",
"url": "https://access.redhat.com/security/cve/CVE-2026-0915"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-22795",
"url": "https://access.redhat.com/security/cve/CVE-2026-22795"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-22796",
"url": "https://access.redhat.com/security/cve/CVE-2026-22796"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification",
"url": "https://access.redhat.com/security/updates/classification"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/cost_management_service/1-latest/html/getting_started_with_cost_management/steps-to-cost-management",
"url": "https://docs.redhat.com/en/documentation/cost_management_service/1-latest/html/getting_started_with_cost_management/steps-to-cost-management"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3228.json"
}
],
"title": "Red Hat Security Advisory: Cost Management Metrics Operator Update",
"tracking": {
"current_release_date": "2026-02-24T17:07:54+00:00",
"generator": {
"date": "2026-02-24T17:07:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.1"
}
},
"id": "RHSA-2026:3228",
"initial_release_date": "2026-02-24T17:03:15+00:00",
"revision_history": [
{
"date": "2026-02-24T17:03:15+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-24T17:03:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-02-24T17:07:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Cost Management 4",
"product": {
"name": "Cost Management 4",
"product_id": "Cost Management 4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cost_management:4::el9"
}
}
}
],
"category": "product_family",
"name": "Cost Management"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"product": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"product_id": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/costmanagement-metrics-rhel9-operator@sha256%3A210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7?arch=amd64\u0026repository_url=registry.redhat.io/costmanagement\u0026tag=1770836349"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"product": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"product_id": "registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"product_identification_helper": {
"purl": "pkg:oci/costmanagement-metrics-operator-bundle@sha256%3A5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441?arch=amd64\u0026repository_url=registry.redhat.io/costmanagement\u0026tag=1770837277"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"product": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"product_id": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"product_identification_helper": {
"purl": "pkg:oci/costmanagement-metrics-rhel9-operator@sha256%3A1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1?arch=arm64\u0026repository_url=registry.redhat.io/costmanagement\u0026tag=1770836349"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le",
"product": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le",
"product_id": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/costmanagement-metrics-rhel9-operator@sha256%3A7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7?arch=ppc64le\u0026repository_url=registry.redhat.io/costmanagement\u0026tag=1770836349"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"product": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"product_id": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"product_identification_helper": {
"purl": "pkg:oci/costmanagement-metrics-rhel9-operator@sha256%3A5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937?arch=s390x\u0026repository_url=registry.redhat.io/costmanagement\u0026tag=1770836349"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64 as a component of Cost Management 4",
"product_id": "Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
},
"product_reference": "registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"relates_to_product_reference": "Cost Management 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64 as a component of Cost Management 4",
"product_id": "Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64"
},
"product_reference": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"relates_to_product_reference": "Cost Management 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64 as a component of Cost Management 4",
"product_id": "Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64"
},
"product_reference": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"relates_to_product_reference": "Cost Management 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x as a component of Cost Management 4",
"product_id": "Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x"
},
"product_reference": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"relates_to_product_reference": "Cost Management 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le as a component of Cost Management 4",
"product_id": "Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
},
"product_reference": "registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le",
"relates_to_product_reference": "Cost Management 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11187",
"cwe": {
"id": "CWE-233",
"name": "Improper Handling of Parameters"
},
"discovery_date": "2026-01-16T14:21:50.559000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430375"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. When an application processes a maliciously crafted PKCS#12 file, an attacker can exploit a stack buffer overflow or a NULL pointer dereference. This can lead to a denial of service (DoS) by crashing the application, and in some cases, may enable arbitrary code execution. The vulnerability arises from the lack of validation for PBKDF2 salt and keylength parameters within the PKCS#12 file.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Arbitrary code execution or denial of service through crafted PKCS#12 file",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Moderate for Red Hat. It affects OpenSSL versions 3.6, 3.5, and 3.4, where improper validation of PBMAC1 parameters in PKCS#12 MAC verification can lead to a stack buffer overflow or NULL pointer dereference. Exploitation requires an application to process a maliciously crafted PKCS#12 file, which is uncommon as these files are typically trusted. OpenSSL versions 3.3, 3.0, 1.1.1, and 1.0.2 are not affected as they do not support PBMAC1 in PKCS#12.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11187"
},
{
"category": "external",
"summary": "RHBZ#2430375",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430375"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11187"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11187",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11187"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "To mitigate this issue, avoid processing untrusted PKCS#12 files. Applications should only handle PKCS#12 files from trusted sources, as these files are typically used for storing private keys and are expected to be secure.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssl: OpenSSL: Arbitrary code execution or denial of service through crafted PKCS#12 file"
},
{
"cve": "CVE-2025-15281",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2026-01-20T14:01:12.320264+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431196"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in glibc. When the wordexp function is called with the flags WRDE_REUSE and WRDE_APPEND, it may return uninitialized memory. If the caller inspects the we_wordv array or calls the wordfree function to free the allocated memory, the process will abort, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to find an application linked to the glibc library that is using the wordexp function with the flags WRDE_REUSE and WRDE_APPEND. Also, calls to wordexp using both flags never worked correctly and thus the existence of applications that make use of this feature is unlikely. There is no known application vulnerable to this issue.\n\nFurthermore, this flaw will result in a denial of service with no other security impact.\n\nDue to these reasons, this vulnerability has been rated with a low severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15281"
},
{
"category": "external",
"summary": "RHBZ#2431196",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431196"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15281",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15281"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15281",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15281"
},
{
"category": "external",
"summary": "https://sourceware.org/bugzilla/show_bug.cgi?id=33814",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33814"
}
],
"release_date": "2026-01-20T13:22:46.495000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "To mitigate this issue, consider refactoring the use of the wordexp function to not use the WRDE_REUSE and WRDE_APPEND flags together.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory"
},
{
"cve": "CVE-2025-15467",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"discovery_date": "2026-01-16T14:21:50.710000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430376"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. A remote attacker can exploit a stack buffer overflow vulnerability by supplying a crafted Cryptographic Message Syntax (CMS) message with an oversized Initialization Vector (IV) when parsing AuthEnvelopedData structures that use Authenticated Encryption with Associated Data (AEAD) ciphers such as AES-GCM. This can lead to a crash, causing a Denial of Service (DoS), or potentially allow for remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products. On Red Hat Enterprise Linux, OpenSSL is built with stack protections enabled which mitigate the risk of code execution though a denial-of-service condition remains possible. This vulnerability only affects applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers, such as Kerberos using the PKINIT plugin. OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15467"
},
{
"category": "external",
"summary": "RHBZ#2430376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15467",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15467"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15467"
}
],
"release_date": "2026-01-27T14:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing"
},
{
"cve": "CVE-2025-15468",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"discovery_date": "2026-01-16T14:21:51.062000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430377"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in openssl. A remote attacker could trigger a NULL pointer dereference by sending an unknown or unsupported cipher ID during the client hello callback in applications using the QUIC (Quick UDP Internet Connections) protocol. This vulnerability, occurring when the SSL_CIPHER_find() function is called in this specific context, leads to an abnormal termination of the running process, causing a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Denial of Service via NULL pointer dereference in QUIC protocol handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat. The NULL pointer dereference in the `SSL_CIPHER_find()` function, affecting OpenSSL versions 3.3, 3.4, 3.5, and 3.6, occurs only when applications utilizing the QUIC protocol uncommonly invoke this function from the `client_hello_cb` callback with an unknown cipher ID. This specific usage pattern and the resulting Denial of Service limit the overall impact in the Red Hat context.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15468"
},
{
"category": "external",
"summary": "RHBZ#2430377",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430377"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15468",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15468"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15468",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15468"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Denial of Service via NULL pointer dereference in QUIC protocol handling"
},
{
"cve": "CVE-2025-15469",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-01-16T14:21:51.411000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430378"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in openssl. When a user signs or verifies files larger than 16MB using the `openssl dgst` command with one-shot algorithms, the tool silently truncates the input to 16MB. This creates an integrity gap, allowing trailing data beyond the initial 16MB to be modified without detection because it remains unauthenticated. This vulnerability primarily impacts workflows that both sign and verify files using the affected `openssl dgst` command.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Data integrity bypass in `openssl dgst` command due to silent truncation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat. The flaw affects the `openssl dgst` command-line tool when used with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) on files larger than 16MB. Impact is limited as it requires both signing and verification to be performed using the affected command, and verifiers using library APIs are not impacted.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15469"
},
{
"category": "external",
"summary": "RHBZ#2430378",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430378"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15469",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15469"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15469",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15469"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "To mitigate this issue, avoid using the `openssl dgst` command with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) for files larger than 16MB. Instead, utilize streaming digest algorithms with `openssl dgst` or use library APIs for signing and verification, as these are not affected by the truncation vulnerability. Users should ensure that input files for one-shot signing/verification with `openssl dgst` do not exceed 16MB.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Data integrity bypass in `openssl dgst` command due to silent truncation"
},
{
"cve": "CVE-2025-66199",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-16T14:21:51.739000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. A remote attacker can exploit this vulnerability by sending a specially crafted CompressedCertificate message during the TLS 1.3 handshake. This can cause excessive per-connection memory allocations, leading to resource exhaustion and a Denial of Service (DoS) for affected clients and servers. This issue occurs when TLS 1.3 certificate compression is enabled and negotiated.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Denial of Service due to excessive memory allocation in TLS 1.3 certificate compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat products. The flaw in OpenSSL 3.3, 3.4, 3.5, and 3.6 allows an attacker to cause excessive memory allocation during TLS 1.3 handshake with certificate compression, potentially leading to a Denial of Service. This affects both clients and servers in mutual TLS scenarios where certificate compression is negotiated. Servers not requesting client certificates are not vulnerable to client-initiated attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66199"
},
{
"category": "external",
"summary": "RHBZ#2430379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66199",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66199"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66199",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66199"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "To mitigate this issue, disable the reception of compressed certificates by setting the SSL_OP_NO_RX_CERTIFICATE_COMPRESSION option in OpenSSL configurations. This will prevent the vulnerable code path from being exercised.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Denial of Service due to excessive memory allocation in TLS 1.3 certificate compression"
},
{
"cve": "CVE-2025-68160",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2026-01-16T14:21:52.088000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430380"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. This vulnerability involves an out-of-bounds write in the line-buffering BIO filter, which can lead to memory corruption. While exploitation is unlikely to be under direct attacker control, a successful attack could cause an application to crash, resulting in a Denial of Service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Denial of Service due to out-of-bounds write in BIO filter",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat. The `BIO_f_linebuffer` filter, where this heap out-of-bounds write occurs, is not used by default in TLS/SSL data paths within Red Hat products. Exploitation requires third-party applications to explicitly use this filter with a BIO chain that can short-write and process large, newline-free data influenced by an attacker, which is an unlikely scenario under attacker control. Red Hat FIPS modules are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68160"
},
{
"category": "external",
"summary": "RHBZ#2430380",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430380"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68160",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68160"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68160",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68160"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Denial of Service due to out-of-bounds write in BIO filter"
},
{
"cve": "CVE-2025-69418",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2026-01-16T14:21:52.438000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430381"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. When applications directly call the low-level CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions with non-block-aligned lengths in a single call on hardware-accelerated builds, the trailing 1-15 bytes of a message may be exposed in cleartext. These exposed bytes are not covered by the authentication tag, allowing an attacker to read or tamper with them without detection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Information disclosure and data tampering via specific low-level OCB encryption/decryption calls",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat products. In the Red Hat context, impact is limited because typical OpenSSL consumers using higher-level EVP APIs are not affected. The flaw only manifests when applications directly call low-level CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions with non-block-aligned lengths in hardware-accelerated builds. Additionally, TLS does not use OCB ciphersuites, and FIPS modules are not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-69418"
},
{
"category": "external",
"summary": "RHBZ#2430381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-69418",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69418"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-69418",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69418"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Information disclosure and data tampering via specific low-level OCB encryption/decryption calls"
},
{
"cve": "CVE-2025-69419",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-01-16T14:21:52.793000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430386"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. When processing a specially crafted PKCS#12 (Personal Information Exchange Syntax Standard) file, a remote attacker can exploit an out-of-bounds write vulnerability. This issue, occurring within the OPENSSL_uni2utf8() function, leads to memory corruption by writing data beyond its allocated buffer. Successful exploitation could result in a denial of service or potentially allow for arbitrary code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Moderate for Red Hat. An out-of-bounds write in OpenSSL\u0027s PKCS12_get_friendlyname() function can lead to denial of service or arbitrary code execution. Exploitation requires an application to parse a specially crafted malicious PKCS#12 file. Red Hat FIPS modules are not affected as the PKCS#12 implementation is outside the FIPS module boundary.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-69419"
},
{
"category": "external",
"summary": "RHBZ#2430386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-69419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69419"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-69419",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69419"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, Red Hat recommends avoiding the processing of PKCS#12 files from untrusted or unverified sources. Applications that use the `PKCS12_get_friendlyname()` API should ensure that PKCS#12 files are only processed if they originate from trusted entities. Restricting the input sources for PKCS#12 files can significantly reduce the attack surface for this flaw.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing"
},
{
"cve": "CVE-2025-69420",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"discovery_date": "2026-01-16T14:21:53.497000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430388"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. A type confusion vulnerability exists in the TimeStamp Response verification code, where an ASN1_TYPE union member is accessed without proper type validation. A remote attacker can exploit this by providing a malformed TimeStamp Response to an application that verifies timestamp responses. This can lead to an invalid or NULL pointer dereference, resulting in a Denial of Service (DoS) due to an application crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Denial of Service via malformed TimeStamp Response",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat products. A type confusion flaw in the TimeStamp Response verification code can lead to a Denial of Service when processing a specially crafted TimeStamp Response. Exploitation requires an application to call `TS_RESP_verify_response()` with a malformed response, and the TimeStamp protocol (RFC 3161) is not widely used. Red Hat FIPS modules are not affected as the TimeStamp Response implementation is outside the FIPS module boundary.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-69420"
},
{
"category": "external",
"summary": "RHBZ#2430388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-69420",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69420"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-69420",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69420"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Denial of Service via malformed TimeStamp Response"
},
{
"cve": "CVE-2025-69421",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"discovery_date": "2026-01-16T14:21:53.845000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430387"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) by providing a specially crafted, malformed PKCS#12 file to an application that processes it. The flaw occurs due to a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function when handling the malformed file, leading to an application crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat because it requires an application to process a specially crafted, malformed PKCS#12 file, leading to a Denial of Service. The vulnerability is limited to a crash and cannot be escalated to achieve code execution or memory disclosure. Red Hat FIPS modules are not affected as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-69421"
},
{
"category": "external",
"summary": "RHBZ#2430387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430387"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-69421",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69421"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-69421",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69421"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing"
},
{
"cve": "CVE-2026-0861",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2026-01-14T22:01:10.975595+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2429771"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the glibc library. Passing an excessively large alignment value to the memalign suite of functions, such as memalign, posix_memalign, aligned_alloc, valloc and pvalloc, an integer overflow can occur during internal size calculations due to improper overflow checks, causing an allocation of a small chunk of memory which is subsequently used for writing. This issue can result in an application crash or heap memory corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glibc: Integer overflow in memalign leads to heap corruption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker needs to find an application linked to the glibc library that is using one of the vulnerable functions (memalign, posix_memalign, aligned_alloc, valloc or pvalloc) in a way that the alignment parameter can be user-controlled, allowing an attacker to trigger the integer overflow. However, the alignment parameter used by the functions is usually hard-coded power of two and do not allow arbitrary values, specially values supplied by a user. There is no known application vulnerable to this issue.\n\nAlso, default Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and memory protections significantly increase the difficult of achieving arbitrary code execution, limiting the impact of this vulnerability.\n\nDue to these reasons, this vulnerability has been rated with a low severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-0861"
},
{
"category": "external",
"summary": "RHBZ#2429771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-0861",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0861"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-0861",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0861"
},
{
"category": "external",
"summary": "https://sourceware.org/bugzilla/show_bug.cgi?id=33796",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33796"
}
],
"release_date": "2026-01-14T21:01:11.037000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Applications calling one of the vulnerable functions and allowing the alignment parameter to be set by user-controlled input can implement additional validations checks, ensuring the alignment value is a power of two and does not exceed a sane limit, for example the system page size or a maximum of 64KB. This prevents the excessively large value required to trigger the integer overflow.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glibc: Integer overflow in memalign leads to heap corruption"
},
{
"cve": "CVE-2026-0915",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2026-01-15T23:01:26.157678+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430201"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in glibc, the GNU C Library. When an application calls the `getnetbyaddr` or `getnetbyaddr_r` functions to resolve a network address, and the system\u0027s `nsswitch.conf` file is configured to use a DNS (Domain Name System) backend for network lookups, a query for a zero-valued network can lead to the disclosure of stack memory contents. This information is leaked to the configured DNS resolver, potentially allowing an attacker who controls the resolver to gain sensitive data from the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glibc: glibc: Information disclosure via zero-valued network query",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Moderate for Red Hat products. It allows for information disclosure of stack contents to a configured DNS resolver when an application utilizes `getnetbyaddr` or `getnetbyaddr_r` with a DNS backend specified in `nsswitch.conf` for a zero-valued network query. This affects Red Hat Enterprise Linux and OpenShift Container Platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-0915"
},
{
"category": "external",
"summary": "RHBZ#2430201",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430201"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-0915",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0915"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-0915",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0915"
},
{
"category": "external",
"summary": "https://sourceware.org/bugzilla/show_bug.cgi?id=33802",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33802"
}
],
"release_date": "2026-01-15T22:08:41.630000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glibc: glibc: Information disclosure via zero-valued network query"
},
{
"cve": "CVE-2026-22795",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"discovery_date": "2026-01-16T14:21:53.146000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430389"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. This type confusion vulnerability allows a remote attacker to cause a Denial of Service (DoS) by tricking a user or application into processing a maliciously crafted PKCS#12 (Personal Information Exchange Syntax Standard) file. The vulnerability leads to an invalid or NULL pointer dereference, resulting in an application crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Denial of Service due to type confusion in PKCS#12 file processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat products. An application processing a maliciously crafted PKCS#12 file can be caused to dereference an invalid or NULL pointer, resulting in a Denial of Service. In the Red Hat context, impact is limited as PKCS#12 files are typically used for trusted private keys and are not commonly accepted from untrusted sources.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-22795"
},
{
"category": "external",
"summary": "RHBZ#2430389",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430389"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-22795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22795"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-22795",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22795"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Denial of Service due to type confusion in PKCS#12 file processing"
},
{
"cve": "CVE-2026-22796",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"discovery_date": "2026-01-16T14:43:21.598000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430390"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenSSL. This type confusion vulnerability allows a remote attacker to cause a denial of service (DoS) by providing specially crafted PKCS#7 data to an application that performs signature verification. The vulnerability occurs because the application accesses an ASN1_TYPE union member without proper type validation, leading to an invalid or NULL pointer dereference and a crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: OpenSSL: Denial of Service via type confusion in PKCS#7 signature verification",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat products. A type confusion flaw in the legacy PKCS#7 API can lead to a Denial of Service when processing specially crafted PKCS#7 data. Exploitation requires an application to perform signature verification of malformed PKCS#7 data. Red Hat products utilizing the FIPS module are not affected as the PKCS#7 parsing is outside the module boundary.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"known_not_affected": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-22796"
},
{
"category": "external",
"summary": "RHBZ#2430390",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430390"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-22796",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-22796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22796"
}
],
"release_date": "2026-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-02-24T17:03:15+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/operators/admin/olm-upgrading-operators.html",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:3228"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-operator-bundle@sha256:5acccd71d43acf0b452b05a87ddaecffe7bfb4dd47bab24725b1d4ec88879441_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1_arm64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:210abe5689a75606b17b1cea30eeef8fd7f0ab39a5d2af6af32e314ed80928c7_amd64",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:5ae433507d81fd888260a30b4519daf148c42a71d469e9f63eed75f599733937_s390x",
"Cost Management 4:registry.redhat.io/costmanagement/costmanagement-metrics-rhel9-operator@sha256:7424ae28625701b1441987b0457100505e273b2cbcb087bf0c046d7b2cc596c7_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openssl: OpenSSL: Denial of Service via type confusion in PKCS#7 signature verification"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…