Red Hat Security Advisory 2023-5314-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
8cf8572f470b3beefb5a0e9b9113eb0f47bd25024311177330838258f83c2573
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift API for Data Protection (OADP) 1.1.6 security and bug fix update
Advisory ID: RHSA-2023:5314-01
Product: OpenShift API for Data Protection
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5314
Issue date: 2023-09-20
CVE Names: CVE-2020-24736 CVE-2022-21698 CVE-2022-41723
CVE-2022-48281 CVE-2023-1667 CVE-2023-2253
CVE-2023-2283 CVE-2023-2602 CVE-2023-2603
CVE-2023-24532 CVE-2023-25173 CVE-2023-26604
CVE-2023-27536 CVE-2023-28321 CVE-2023-28484
CVE-2023-29469 CVE-2023-32360 CVE-2023-34969
=====================================================================
1. Summary:
OpenShift API for Data Protection (OADP) 1.1.6 is now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.
Security Fix(es):
* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)
* distribution/distribution: DoS from malicious API request (CVE-2023-2253)
* golang: crypto/internal/nistec: specific unreduced P-256 scalars produce
incorrect results (CVE-2023-24532)
* containerd: Supplementary groups are not set up properly (CVE-2023-25173)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2189886 - CVE-2023-2253 distribution/distribution: DoS from malicious API request
2223355 - CVE-2023-24532 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results
5. JIRA issues fixed (https://issues.redhat.com/):
OADP-2420 - oadp-1.1.x Restic restore is partially failing due to Pod Security standard
OADP-2530 - Restore is partially failing for job resource
6. References:
https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-48281
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2253
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-24532
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-26604
https://access.redhat.com/security/cve/CVE-2023-27536
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-32360
https://access.redhat.com/security/cve/CVE-2023-34969
https://access.redhat.com/security/updates/classification/#moderate
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJlC2O7AAoJENzjgjWX9erEIegP/jiQpwXy0aaKzfHzA0rXg1l8
vdXrQixzjdIROSjGgUUn55wQ6oPGJuza/eUcVgg6bTal7FsM68DlsEj61A3EE3TG
9kB+N3M2oHgjTnKHD1NVRZYpoFR1Fbyf2VCPaMQwzfkt7Qdg39gs0SiTgUFwVDCK
wzis/4Gx/bRY94TXmU9nl1FwqWZywTmtKufLqxJrQpYXUJrHkZxMH7Ks8rpOosj+
+30kZxCqjda9W0c0jU9hB9GcggejfeDeIuN5nC7oUYIE8gTscnvsY3odkr2TcH3b
KDKJ2XnVFg5P4RkBBL2B/iT1Bnw6eayrct0FFT3/u5HUKzM2jENyKi4z92HzeiMS
YpULP+seXtH27phR3zCNnO4QtorBg9WUtWdjTz2tlFPGym/W7FwUPKbINzjbnSC0
sj2c9nBZ4l9B3FYgLoe6jBZqiCC3nZ5+Xw8e60LPHlYGdRTV7ssTmqcNMTSjkq0P
y8fdvHmewndtY2RlvOroQEjTYoXVzVTA09HnN30Epulld19n+rCZMRRJUICNVLhJ
Eu121hROtRlneGMDAi/A5DbAXSazggv+4ruDaHjn3A1Xe6/ihBGH+HHF522iz6aP
/angx12WFRYvqtkqQ1p0qimkJjMaKDwCOiDzq1geUMosaaB9wWFjxeSQy54qhaV4
QnWeHUCp/nkyFbRRYSOf
=FDRT
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce