OpenShift API for Data Protection (OADP) 1.3.1: CVSS (Max): 7.5

===========================================================================
             AUSCERT External Security Bulletin Redistribution             
                                                                           
                               ESB-2024.2348                               
OpenShift API for Data Protection (OADP) 1.3.1 security and bug fix update 
                               17 April 2024                               
                                                                           
===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift API for Data Protection (OADP) 1.3.1          
Publisher:         Red Hat                                                 
Operating System:  Red Hat                                                 
Resolution:        Patch/Upgrade                                           
CVE Names:         CVE-2023-48795 CVE-2023-45287 CVE-2024-24786            
                   CVE-2023-39326 CVE-2023-45142 CVE-2024-28180            

Original Bulletin:
   https://access.redhat.com/errata/RHSA-2024:1859

Comment: CVSS (Max):  7.5 CVE-2023-45287 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
         CVSS Source: Red Hat                                              
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N


- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection
                   (OADP) 1.3.1 security and bug fix update
Advisory ID:       RHSA-2024:1859
Product:           9Base-OADP-1.3
Advisory URL:      https://access.redhat.com/errata/RHSA-2024:1859
Issue date:        2024-04-16
CVE Names:         CVE-2023-39326 CVE-2023-45142 CVE-2023-45287 CVE-2023-48795
                   CVE-2024-24786 CVE-2024-28180
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.3.1 is now available.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

9Base-OADP-1.3 - amd64, arm64, ppc64le, s390x 

3. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container images to
external backup storage. OADP enables both file system-based and snapshot-based
backups for persistent volumes.

Security Fix(es) from Bugzilla:

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.
(CVE-2023-45287)

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption
via HTTP requests (CVE-2023-39326)

* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in
protojson.Unmarshal when unmarshaling certain forms of invalid JSON
(CVE-2024-24786)

* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in the
References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2253330 - CVE-2023-39326 - golang: net/http/internal: Denial of Service (DoS)
via Resource Consumption via HTTP requests
2245180 - CVE-2023-45142 - opentelemetry: DoS vulnerability in otelhttp 
2253193 - CVE-2023-45287 - golang: crypto/tls: Timing Side Channel attack in RSA
based TLS key exchanges.
2254210 - CVE-2023-48795 - ssh: Prefix truncation attack on Binary Packet
Protocol (BPP)
2268046 - CVE-2024-24786 - golang-protobuf: encoding/protojson,
internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling
certain forms of invalid JSON
2268854 - CVE-2024-28180 - jose-go: improper handling of highly compressed data 

6. Package List:

9Base-OADP-1.3

3:oadp/oadp-velero-rhel9@sha256:02f194caab292aea9bcbb22556fca8e2d7d893a629e6e560
97501501fbff7ba7_amd64:
oadp/oadp-velero-rhel9@sha256:02f194caab292aea9bcbb22556fca8e2d7d893a629e6e56097
501501fbff7ba7_amd64.rpm

3:oadp/oadp-velero-rhel9@sha256:434d8810953c3688637f478d2fee765741997332ae0efe54
9384645cdfc722fe_arm64:
oadp/oadp-velero-rhel9@sha256:434d8810953c3688637f478d2fee765741997332ae0efe5493
84645cdfc722fe_arm64.rpm

3:oadp/oadp-velero-rhel9@sha256:d0089d7ff8f5376ad45981e7c727685c9101b0281720e4ab
ab140af757d5b105_ppc64le:
oadp/oadp-velero-rhel9@sha256:d0089d7ff8f5376ad45981e7c727685c9101b0281720e4abab
140af757d5b105_ppc64le.rpm

3:oadp/oadp-velero-rhel9@sha256:f31751d570d089ff7165c81727221e66c8f4e75876ea3676
83e9c68f03778a79_s390x:
oadp/oadp-velero-rhel9@sha256:f31751d570d089ff7165c81727221e66c8f4e75876ea367683
e9c68f03778a79_s390x.rpm

3:oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:42dc13f4c214cf278520791449588779
4a948f968ebe72495346ddff7ba94e52_ppc64le:
oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:42dc13f4c214cf2785207914495887794a
948f968ebe72495346ddff7ba94e52_ppc64le.rpm

3:oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:4ec3d45a232dc0478ea0194e8d044284
633bfe59e37e8e754e01570bfa633528_s390x:
oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:4ec3d45a232dc0478ea0194e8d04428463
3bfe59e37e8e754e01570bfa633528_s390x.rpm

3:oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:52197469936ad5b710057f3ae17f58de
1432af83923ccded9bdc291bff3a2d9a_arm64:
oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:52197469936ad5b710057f3ae17f58de14
32af83923ccded9bdc291bff3a2d9a_arm64.rpm

3:oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9a2144f707c9cf35e35145e3f49898c3
2bc5c390af180808464fe8614a93c1b6_amd64:
oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9a2144f707c9cf35e35145e3f49898c32b
c5c390af180808464fe8614a93c1b6_amd64.rpm

3:oadp/oadp-mustgather-rhel9@sha256:2b5e5dd83ba18ab639c1307c35cc34fbad7c59648315
df3341449daac9f7588c_amd64:
oadp/oadp-mustgather-rhel9@sha256:2b5e5dd83ba18ab639c1307c35cc34fbad7c59648315df
3341449daac9f7588c_amd64.rpm

3:oadp/oadp-mustgather-rhel9@sha256:388055859d06499407148e9aaa52d15da3118b123a2c
89ca9220e9466518ef07_arm64:
oadp/oadp-mustgather-rhel9@sha256:388055859d06499407148e9aaa52d15da3118b123a2c89
ca9220e9466518ef07_arm64.rpm

3:oadp/oadp-mustgather-rhel9@sha256:61f624d5b4a78decaed3d74edf56217ad50e8967a8e4
637a2ee08f424b74f12c_ppc64le:
oadp/oadp-mustgather-rhel9@sha256:61f624d5b4a78decaed3d74edf56217ad50e8967a8e463
7a2ee08f424b74f12c_ppc64le.rpm

3:oadp/oadp-mustgather-rhel9@sha256:a9c5c60ddbaee035f2b535787d3bf469b4131b4439a0
23dd41339db86d546dfc_s390x:
oadp/oadp-mustgather-rhel9@sha256:a9c5c60ddbaee035f2b535787d3bf469b4131b4439a023
dd41339db86d546dfc_s390x.rpm

3:oadp/oadp-operator-bundle@sha256:3c63b4bbf5c70b63694784857d7e4d962a5a6caddd8f6
2ecfb9153b861c48e55_arm64:
oadp/oadp-operator-bundle@sha256:3c63b4bbf5c70b63694784857d7e4d962a5a6caddd8f62e
cfb9153b861c48e55_arm64.rpm

3:oadp/oadp-operator-bundle@sha256:82613d64c36cc435063ec02f0e3dd2edabbeb7a857631
51011b6e4e617fe4b8f_ppc64le:
oadp/oadp-operator-bundle@sha256:82613d64c36cc435063ec02f0e3dd2edabbeb7a85763151
011b6e4e617fe4b8f_ppc64le.rpm

3:oadp/oadp-operator-bundle@sha256:d1fb5950f18428d88df190793f33c68f27772fd8d8675
82e7ed265d631ac20d9_s390x:
oadp/oadp-operator-bundle@sha256:d1fb5950f18428d88df190793f33c68f27772fd8d867582
e7ed265d631ac20d9_s390x.rpm

3:oadp/oadp-operator-bundle@sha256:d3f0997772e9e28eba7d1424bf1ea2a5790ccdc43e082
3d95866941797fd064b_amd64:
oadp/oadp-operator-bundle@sha256:d3f0997772e9e28eba7d1424bf1ea2a5790ccdc43e0823d
95866941797fd064b_amd64.rpm

3:oadp/oadp-rhel9-operator@sha256:0b824b48cc2078d31f6ac1db1b78045e08064850d95e73
63f6c9e2b33c9436ee_amd64:
oadp/oadp-rhel9-operator@sha256:0b824b48cc2078d31f6ac1db1b78045e08064850d95e7363
f6c9e2b33c9436ee_amd64.rpm

3:oadp/oadp-rhel9-operator@sha256:52de391f9eec3f6746e1d3f3cbbfa004a552a5c27a2983
d303d18208a39cc697_ppc64le:
oadp/oadp-rhel9-operator@sha256:52de391f9eec3f6746e1d3f3cbbfa004a552a5c27a2983d3
03d18208a39cc697_ppc64le.rpm

3:oadp/oadp-rhel9-operator@sha256:699a655022299b71e8ea2d67d84cd026228127d3e7f4e0
0f74caf713cf28f867_s390x:
oadp/oadp-rhel9-operator@sha256:699a655022299b71e8ea2d67d84cd026228127d3e7f4e00f
74caf713cf28f867_s390x.rpm

3:oadp/oadp-rhel9-operator@sha256:7384faa57528c04e270f4a0599c99478d96de6c77a6759
188e370e480261ac7b_arm64:
oadp/oadp-rhel9-operator@sha256:7384faa57528c04e270f4a0599c99478d96de6c77a675918
8e370e480261ac7b_arm64.rpm

3:oadp/oadp-velero-plugin-for-aws-rhel9@sha256:0974f65696e98c806c14e6812cf3292ab
03a0b621714e7f091d7e326a7ebb77b_s390x:
oadp/oadp-velero-plugin-for-aws-rhel9@sha256:0974f65696e98c806c14e6812cf3292ab03
a0b621714e7f091d7e326a7ebb77b_s390x.rpm

3:oadp/oadp-velero-plugin-for-aws-rhel9@sha256:2c176efaabf984947fb66bb33d14a637f
66f06f9e7f3f7423b7fccec045a7a52_arm64:
oadp/oadp-velero-plugin-for-aws-rhel9@sha256:2c176efaabf984947fb66bb33d14a637f66
f06f9e7f3f7423b7fccec045a7a52_arm64.rpm

3:oadp/oadp-velero-plugin-for-aws-rhel9@sha256:716cec49a663d87eff7eaf9ddc948d286
1645d601a2e15605cb660c9f98ab489_amd64:
oadp/oadp-velero-plugin-for-aws-rhel9@sha256:716cec49a663d87eff7eaf9ddc948d28616
45d601a2e15605cb660c9f98ab489_amd64.rpm

3:oadp/oadp-velero-plugin-for-aws-rhel9@sha256:c1758a4e31ed5d623b1fd9ab8deb99a15
da0584a178ef120e64ad15b9fb6a931_ppc64le:
oadp/oadp-velero-plugin-for-aws-rhel9@sha256:c1758a4e31ed5d623b1fd9ab8deb99a15da
0584a178ef120e64ad15b9fb6a931_ppc64le.rpm

3:oadp/oadp-velero-plugin-for-csi-rhel9@sha256:436b76db12ba27ccafcddc38469cc2adf
f20d0c72e334240af84d4e8a3011c25_s390x:
oadp/oadp-velero-plugin-for-csi-rhel9@sha256:436b76db12ba27ccafcddc38469cc2adff2
0d0c72e334240af84d4e8a3011c25_s390x.rpm

3:oadp/oadp-velero-plugin-for-csi-rhel9@sha256:9833ca3b1b53eccc9de4e117bef53bb94
d5be02d89bed222ef80dcd221bc1b18_amd64:
oadp/oadp-velero-plugin-for-csi-rhel9@sha256:9833ca3b1b53eccc9de4e117bef53bb94d5
be02d89bed222ef80dcd221bc1b18_amd64.rpm

3:oadp/oadp-velero-plugin-for-csi-rhel9@sha256:b4c014e340a80ad67b422eb1d72adce21
b6a01104ef6eb9225531e50c8cddb62_arm64:
oadp/oadp-velero-plugin-for-csi-rhel9@sha256:b4c014e340a80ad67b422eb1d72adce21b6
a01104ef6eb9225531e50c8cddb62_arm64.rpm

3:oadp/oadp-velero-plugin-for-csi-rhel9@sha256:bcd29d854e51b5a154d77134b78c6338c
db638c58cd1548704f02dddec00c6e6_ppc64le:
oadp/oadp-velero-plugin-for-csi-rhel9@sha256:bcd29d854e51b5a154d77134b78c6338cdb
638c58cd1548704f02dddec00c6e6_ppc64le.rpm

3:oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:1e1f9e277ceeed8be865abd424747a2a7
77806cde2195599e4ea9f0e787ad359_arm64:
oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:1e1f9e277ceeed8be865abd424747a2a777
806cde2195599e4ea9f0e787ad359_arm64.rpm

3:oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:4a4aeb844a7f119253763012771abce64
9f8b7bbdcb326f4714e72d1e318b33a_s390x:
oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:4a4aeb844a7f119253763012771abce649f
8b7bbdcb326f4714e72d1e318b33a_s390x.rpm

3:oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:b80b98a43c128ff17e8ba9eb80622d01c
280d5ddba66e67de85cb73e415a5a8d_ppc64le:
oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:b80b98a43c128ff17e8ba9eb80622d01c28
0d5ddba66e67de85cb73e415a5a8d_ppc64le.rpm

3:oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:fd56ce05bbd9c6786923df9ee34efe4f6
b7d1bde979705cfcd7b4d30bbc1dca1_amd64:
oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:fd56ce05bbd9c6786923df9ee34efe4f6b7
d1bde979705cfcd7b4d30bbc1dca1_amd64.rpm

3:oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:24f6efdc0e3964ab1efee
6e053551614de282e6bed90e9d14273cf284b20c307_amd64:
oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:24f6efdc0e3964ab1efee6e
053551614de282e6bed90e9d14273cf284b20c307_amd64.rpm

3:oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:7f474a4831a010dc097de
146c728538d5e8504305afd1dee08d41c2283ba30ef_s390x:
oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:7f474a4831a010dc097de14
6c728538d5e8504305afd1dee08d41c2283ba30ef_s390x.rpm

3:oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:a6b9816bbba897897f632
c119579f7101a4b9c72fc2a2a86e917bc47fabded1d_ppc64le:
oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:a6b9816bbba897897f632c1
19579f7101a4b9c72fc2a2a86e917bc47fabded1d_ppc64le.rpm

3:oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:fb7f2faab19f9386d10b7
bde2395ce8cdd24e4a8dbb4ee8f052586785ac74063_arm64:
oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:fb7f2faab19f9386d10b7bd
e2395ce8cdd24e4a8dbb4ee8f052586785ac74063_arm64.rpm

3:oadp/oadp-velero-plugin-rhel9@sha256:4df78ca988726cc65fba06f8c3d8fcd13fa324ea0
4a036aaa7177cc17695e6bf_s390x:
oadp/oadp-velero-plugin-rhel9@sha256:4df78ca988726cc65fba06f8c3d8fcd13fa324ea04a
036aaa7177cc17695e6bf_s390x.rpm

3:oadp/oadp-velero-plugin-rhel9@sha256:60e958b76093fd05be6d93785f709338c66e95a86
551dd317242e25b954a6c55_amd64:
oadp/oadp-velero-plugin-rhel9@sha256:60e958b76093fd05be6d93785f709338c66e95a8655
1dd317242e25b954a6c55_amd64.rpm

3:oadp/oadp-velero-plugin-rhel9@sha256:98d78b8dcc1a7cda1a4845c40a9799018cdbc7784
6ea530ac9bbf88c86a9c209_arm64:
oadp/oadp-velero-plugin-rhel9@sha256:98d78b8dcc1a7cda1a4845c40a9799018cdbc77846e
a530ac9bbf88c86a9c209_arm64.rpm

3:oadp/oadp-velero-plugin-rhel9@sha256:eee8a3d43761e95adb3288512c5598a723ca5e7d9
85470ee202797b863618522_ppc64le:
oadp/oadp-velero-plugin-rhel9@sha256:eee8a3d43761e95adb3288512c5598a723ca5e7d985
470ee202797b863618522_ppc64le.rpm

3:oadp/oadp-velero-restic-restore-helper-rhel9@sha256:0b8e9b27c4739840c054d6c726
0a268ae925ad404c04b74c1a543efeb84679db_arm64:
oadp/oadp-velero-restic-restore-helper-rhel9@sha256:0b8e9b27c4739840c054d6c7260a
268ae925ad404c04b74c1a543efeb84679db_arm64.rpm

3:oadp/oadp-velero-restic-restore-helper-rhel9@sha256:6037459145f67f201c49ebd87e
82717bf8acc8c6118468038a0a040e3994ca75_s390x:
oadp/oadp-velero-restic-restore-helper-rhel9@sha256:6037459145f67f201c49ebd87e82
717bf8acc8c6118468038a0a040e3994ca75_s390x.rpm

3:oadp/oadp-velero-restic-restore-helper-rhel9@sha256:c9d88e0b4a3b15665a6c55a406
174bc905c3ba0d18a9b9496923884c8d1b0176_amd64:
oadp/oadp-velero-restic-restore-helper-rhel9@sha256:c9d88e0b4a3b15665a6c55a40617
4bc905c3ba0d18a9b9496923884c8d1b0176_amd64.rpm

3:oadp/oadp-velero-restic-restore-helper-rhel9@sha256:d0eefa6d731af31e2910b7af4c
250dd6d7e91be0cef03d9d65aa130957094990_ppc64le:
oadp/oadp-velero-restic-restore-helper-rhel9@sha256:d0eefa6d731af31e2910b7af4c25
0dd6d7e91be0cef03d9d65aa130957094990_ppc64le.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2023-39326
https://access.redhat.com/security/cve/CVE-2023-45142
https://access.redhat.com/security/cve/CVE-2023-45287
https://access.redhat.com/security/cve/CVE-2023-48795
https://access.redhat.com/security/cve/CVE-2024-24786
https://access.redhat.com/security/cve/CVE-2024-28180
https://access.redhat.com/security/updates/classification/#moderate

- --------------------------END INCLUDED TEXT----------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================