Issued:
2023-06-21
Updated:
2023-06-21

RHSA-2023:3742 - Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Synopsis

Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Type/Severity

Security Advisory Important

Topic

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.

Security Fix(es):

  • goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)

  • decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

  • vault: Hashicorp Vault AWS IAM Integration Authentication Bypass (CVE-2020-16250)

  • vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)

  • nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

  • go-yaml: Denial of Service in go-yaml (CVE-2021-4235)

  • vault: incorrect policy enforcement (CVE-2021-43998)

  • nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)

  • nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)

  • nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)

  • golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)

  • golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

  • nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

  • jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass (CVE-2022-23540)

  • jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)

  • golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

  • golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

  • golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)

  • consul: Consul Template May Expose Vault Secrets When Processing Invalid Input (CVE-2022-38149)

  • vault: insufficient certificate revocation list checking (CVE-2022-41316)

  • golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

  • golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

  • net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

  • golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

  • golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

  • json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)

  • vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620)

  • hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665)

  • Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation (CVE-2023-24999)

  • hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000)

  • validator: Inefficient Regular Expression Complexity in Validator.js (CVE-2021-3765)

  • nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

  • golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

These updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated images that provide numerous bug fixes and enhancements.

Affected Products

ProductVersionArch
Red Hat OpenShift Data Foundation4x86_64
Red Hat OpenShift Data Foundation for RHEL 9 ARM4aarch64
Red Hat OpenShift Data Foundation for IBM Z and LinuxONE4s390x
Red Hat OpenShift Data Foundation for IBM Power, little endian4ppc64le

Fixes

CVEs

References

Additional information