what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2023-5314-01

Red Hat Security Advisory 2023-5314-01
Posted Sep 21, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-5314-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service
systems | linux, redhat
advisories | CVE-2020-24736, CVE-2022-21698, CVE-2022-41723, CVE-2022-48281, CVE-2023-1667, CVE-2023-2253, CVE-2023-2283, CVE-2023-24532, CVE-2023-25173, CVE-2023-2602, CVE-2023-2603, CVE-2023-26604, CVE-2023-27536, CVE-2023-28321
SHA-256 | 8cf8572f470b3beefb5a0e9b9113eb0f47bd25024311177330838258f83c2573

Red Hat Security Advisory 2023-5314-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift API for Data Protection (OADP) 1.1.6 security and bug fix update
Advisory ID: RHSA-2023:5314-01
Product: OpenShift API for Data Protection
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5314
Issue date: 2023-09-20
CVE Names: CVE-2020-24736 CVE-2022-21698 CVE-2022-41723
CVE-2022-48281 CVE-2023-1667 CVE-2023-2253
CVE-2023-2283 CVE-2023-2602 CVE-2023-2603
CVE-2023-24532 CVE-2023-25173 CVE-2023-26604
CVE-2023-27536 CVE-2023-28321 CVE-2023-28484
CVE-2023-29469 CVE-2023-32360 CVE-2023-34969
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.1.6 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.

Security Fix(es):

* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* distribution/distribution: DoS from malicious API request (CVE-2023-2253)

* golang: crypto/internal/nistec: specific unreduced P-256 scalars produce
incorrect results (CVE-2023-24532)

* containerd: Supplementary groups are not set up properly (CVE-2023-25173)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2189886 - CVE-2023-2253 distribution/distribution: DoS from malicious API request
2223355 - CVE-2023-24532 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results

5. JIRA issues fixed (https://issues.redhat.com/):

OADP-2420 - oadp-1.1.x Restic restore is partially failing due to Pod Security standard
OADP-2530 - Restore is partially failing for job resource

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-48281
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2253
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-24532
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-26604
https://access.redhat.com/security/cve/CVE-2023-27536
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-32360
https://access.redhat.com/security/cve/CVE-2023-34969
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlC2O7AAoJENzjgjWX9erEIegP/jiQpwXy0aaKzfHzA0rXg1l8
vdXrQixzjdIROSjGgUUn55wQ6oPGJuza/eUcVgg6bTal7FsM68DlsEj61A3EE3TG
9kB+N3M2oHgjTnKHD1NVRZYpoFR1Fbyf2VCPaMQwzfkt7Qdg39gs0SiTgUFwVDCK
wzis/4Gx/bRY94TXmU9nl1FwqWZywTmtKufLqxJrQpYXUJrHkZxMH7Ks8rpOosj+
+30kZxCqjda9W0c0jU9hB9GcggejfeDeIuN5nC7oUYIE8gTscnvsY3odkr2TcH3b
KDKJ2XnVFg5P4RkBBL2B/iT1Bnw6eayrct0FFT3/u5HUKzM2jENyKi4z92HzeiMS
YpULP+seXtH27phR3zCNnO4QtorBg9WUtWdjTz2tlFPGym/W7FwUPKbINzjbnSC0
sj2c9nBZ4l9B3FYgLoe6jBZqiCC3nZ5+Xw8e60LPHlYGdRTV7ssTmqcNMTSjkq0P
y8fdvHmewndtY2RlvOroQEjTYoXVzVTA09HnN30Epulld19n+rCZMRRJUICNVLhJ
Eu121hROtRlneGMDAi/A5DbAXSazggv+4ruDaHjn3A1Xe6/ihBGH+HHF522iz6aP
/angx12WFRYvqtkqQ1p0qimkJjMaKDwCOiDzq1geUMosaaB9wWFjxeSQy54qhaV4
QnWeHUCp/nkyFbRRYSOf
=FDRT
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close