Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2348 OpenShift API for Data Protection (OADP) 1.3.1 security and bug fix update 17 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift API for Data Protection (OADP) 1.3.1 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-48795 CVE-2023-45287 CVE-2024-24786 CVE-2023-39326 CVE-2023-45142 CVE-2024-28180 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1859 Comment: CVSS (Max): 7.5 CVE-2023-45287 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift API for Data Protection (OADP) 1.3.1 security and bug fix update Advisory ID: RHSA-2024:1859 Product: 9Base-OADP-1.3 Advisory URL: https://access.redhat.com/errata/RHSA-2024:1859 Issue date: 2024-04-16 CVE Names: CVE-2023-39326 CVE-2023-45142 CVE-2023-45287 CVE-2023-48795 CVE-2024-24786 CVE-2024-28180 ===================================================================== 1. Summary: OpenShift API for Data Protection (OADP) 1.3.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: 9Base-OADP-1.3 - amd64, arm64, ppc64le, s390x 3. Description: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Security Fix(es) from Bugzilla: * opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142) * golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287) * golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326) * ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795) * golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786) * jose-go: improper handling of highly compressed data (CVE-2024-28180) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2253330 - CVE-2023-39326 - golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests 2245180 - CVE-2023-45142 - opentelemetry: DoS vulnerability in otelhttp 2253193 - CVE-2023-45287 - golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. 2254210 - CVE-2023-48795 - ssh: Prefix truncation attack on Binary Packet Protocol (BPP) 2268046 - CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON 2268854 - CVE-2024-28180 - jose-go: improper handling of highly compressed data 6. Package List: 9Base-OADP-1.3 3:oadp/oadp-velero-rhel9@sha256:02f194caab292aea9bcbb22556fca8e2d7d893a629e6e560 97501501fbff7ba7_amd64: oadp/oadp-velero-rhel9@sha256:02f194caab292aea9bcbb22556fca8e2d7d893a629e6e56097 501501fbff7ba7_amd64.rpm 3:oadp/oadp-velero-rhel9@sha256:434d8810953c3688637f478d2fee765741997332ae0efe54 9384645cdfc722fe_arm64: oadp/oadp-velero-rhel9@sha256:434d8810953c3688637f478d2fee765741997332ae0efe5493 84645cdfc722fe_arm64.rpm 3:oadp/oadp-velero-rhel9@sha256:d0089d7ff8f5376ad45981e7c727685c9101b0281720e4ab ab140af757d5b105_ppc64le: oadp/oadp-velero-rhel9@sha256:d0089d7ff8f5376ad45981e7c727685c9101b0281720e4abab 140af757d5b105_ppc64le.rpm 3:oadp/oadp-velero-rhel9@sha256:f31751d570d089ff7165c81727221e66c8f4e75876ea3676 83e9c68f03778a79_s390x: oadp/oadp-velero-rhel9@sha256:f31751d570d089ff7165c81727221e66c8f4e75876ea367683 e9c68f03778a79_s390x.rpm 3:oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:42dc13f4c214cf278520791449588779 4a948f968ebe72495346ddff7ba94e52_ppc64le: oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:42dc13f4c214cf2785207914495887794a 948f968ebe72495346ddff7ba94e52_ppc64le.rpm 3:oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:4ec3d45a232dc0478ea0194e8d044284 633bfe59e37e8e754e01570bfa633528_s390x: oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:4ec3d45a232dc0478ea0194e8d04428463 3bfe59e37e8e754e01570bfa633528_s390x.rpm 3:oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:52197469936ad5b710057f3ae17f58de 1432af83923ccded9bdc291bff3a2d9a_arm64: oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:52197469936ad5b710057f3ae17f58de14 32af83923ccded9bdc291bff3a2d9a_arm64.rpm 3:oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9a2144f707c9cf35e35145e3f49898c3 2bc5c390af180808464fe8614a93c1b6_amd64: oadp/oadp-kubevirt-velero-plugin-rhel9@sha256:9a2144f707c9cf35e35145e3f49898c32b c5c390af180808464fe8614a93c1b6_amd64.rpm 3:oadp/oadp-mustgather-rhel9@sha256:2b5e5dd83ba18ab639c1307c35cc34fbad7c59648315 df3341449daac9f7588c_amd64: oadp/oadp-mustgather-rhel9@sha256:2b5e5dd83ba18ab639c1307c35cc34fbad7c59648315df 3341449daac9f7588c_amd64.rpm 3:oadp/oadp-mustgather-rhel9@sha256:388055859d06499407148e9aaa52d15da3118b123a2c 89ca9220e9466518ef07_arm64: oadp/oadp-mustgather-rhel9@sha256:388055859d06499407148e9aaa52d15da3118b123a2c89 ca9220e9466518ef07_arm64.rpm 3:oadp/oadp-mustgather-rhel9@sha256:61f624d5b4a78decaed3d74edf56217ad50e8967a8e4 637a2ee08f424b74f12c_ppc64le: oadp/oadp-mustgather-rhel9@sha256:61f624d5b4a78decaed3d74edf56217ad50e8967a8e463 7a2ee08f424b74f12c_ppc64le.rpm 3:oadp/oadp-mustgather-rhel9@sha256:a9c5c60ddbaee035f2b535787d3bf469b4131b4439a0 23dd41339db86d546dfc_s390x: oadp/oadp-mustgather-rhel9@sha256:a9c5c60ddbaee035f2b535787d3bf469b4131b4439a023 dd41339db86d546dfc_s390x.rpm 3:oadp/oadp-operator-bundle@sha256:3c63b4bbf5c70b63694784857d7e4d962a5a6caddd8f6 2ecfb9153b861c48e55_arm64: oadp/oadp-operator-bundle@sha256:3c63b4bbf5c70b63694784857d7e4d962a5a6caddd8f62e cfb9153b861c48e55_arm64.rpm 3:oadp/oadp-operator-bundle@sha256:82613d64c36cc435063ec02f0e3dd2edabbeb7a857631 51011b6e4e617fe4b8f_ppc64le: oadp/oadp-operator-bundle@sha256:82613d64c36cc435063ec02f0e3dd2edabbeb7a85763151 011b6e4e617fe4b8f_ppc64le.rpm 3:oadp/oadp-operator-bundle@sha256:d1fb5950f18428d88df190793f33c68f27772fd8d8675 82e7ed265d631ac20d9_s390x: oadp/oadp-operator-bundle@sha256:d1fb5950f18428d88df190793f33c68f27772fd8d867582 e7ed265d631ac20d9_s390x.rpm 3:oadp/oadp-operator-bundle@sha256:d3f0997772e9e28eba7d1424bf1ea2a5790ccdc43e082 3d95866941797fd064b_amd64: oadp/oadp-operator-bundle@sha256:d3f0997772e9e28eba7d1424bf1ea2a5790ccdc43e0823d 95866941797fd064b_amd64.rpm 3:oadp/oadp-rhel9-operator@sha256:0b824b48cc2078d31f6ac1db1b78045e08064850d95e73 63f6c9e2b33c9436ee_amd64: oadp/oadp-rhel9-operator@sha256:0b824b48cc2078d31f6ac1db1b78045e08064850d95e7363 f6c9e2b33c9436ee_amd64.rpm 3:oadp/oadp-rhel9-operator@sha256:52de391f9eec3f6746e1d3f3cbbfa004a552a5c27a2983 d303d18208a39cc697_ppc64le: oadp/oadp-rhel9-operator@sha256:52de391f9eec3f6746e1d3f3cbbfa004a552a5c27a2983d3 03d18208a39cc697_ppc64le.rpm 3:oadp/oadp-rhel9-operator@sha256:699a655022299b71e8ea2d67d84cd026228127d3e7f4e0 0f74caf713cf28f867_s390x: oadp/oadp-rhel9-operator@sha256:699a655022299b71e8ea2d67d84cd026228127d3e7f4e00f 74caf713cf28f867_s390x.rpm 3:oadp/oadp-rhel9-operator@sha256:7384faa57528c04e270f4a0599c99478d96de6c77a6759 188e370e480261ac7b_arm64: oadp/oadp-rhel9-operator@sha256:7384faa57528c04e270f4a0599c99478d96de6c77a675918 8e370e480261ac7b_arm64.rpm 3:oadp/oadp-velero-plugin-for-aws-rhel9@sha256:0974f65696e98c806c14e6812cf3292ab 03a0b621714e7f091d7e326a7ebb77b_s390x: oadp/oadp-velero-plugin-for-aws-rhel9@sha256:0974f65696e98c806c14e6812cf3292ab03 a0b621714e7f091d7e326a7ebb77b_s390x.rpm 3:oadp/oadp-velero-plugin-for-aws-rhel9@sha256:2c176efaabf984947fb66bb33d14a637f 66f06f9e7f3f7423b7fccec045a7a52_arm64: oadp/oadp-velero-plugin-for-aws-rhel9@sha256:2c176efaabf984947fb66bb33d14a637f66 f06f9e7f3f7423b7fccec045a7a52_arm64.rpm 3:oadp/oadp-velero-plugin-for-aws-rhel9@sha256:716cec49a663d87eff7eaf9ddc948d286 1645d601a2e15605cb660c9f98ab489_amd64: oadp/oadp-velero-plugin-for-aws-rhel9@sha256:716cec49a663d87eff7eaf9ddc948d28616 45d601a2e15605cb660c9f98ab489_amd64.rpm 3:oadp/oadp-velero-plugin-for-aws-rhel9@sha256:c1758a4e31ed5d623b1fd9ab8deb99a15 da0584a178ef120e64ad15b9fb6a931_ppc64le: oadp/oadp-velero-plugin-for-aws-rhel9@sha256:c1758a4e31ed5d623b1fd9ab8deb99a15da 0584a178ef120e64ad15b9fb6a931_ppc64le.rpm 3:oadp/oadp-velero-plugin-for-csi-rhel9@sha256:436b76db12ba27ccafcddc38469cc2adf f20d0c72e334240af84d4e8a3011c25_s390x: oadp/oadp-velero-plugin-for-csi-rhel9@sha256:436b76db12ba27ccafcddc38469cc2adff2 0d0c72e334240af84d4e8a3011c25_s390x.rpm 3:oadp/oadp-velero-plugin-for-csi-rhel9@sha256:9833ca3b1b53eccc9de4e117bef53bb94 d5be02d89bed222ef80dcd221bc1b18_amd64: oadp/oadp-velero-plugin-for-csi-rhel9@sha256:9833ca3b1b53eccc9de4e117bef53bb94d5 be02d89bed222ef80dcd221bc1b18_amd64.rpm 3:oadp/oadp-velero-plugin-for-csi-rhel9@sha256:b4c014e340a80ad67b422eb1d72adce21 b6a01104ef6eb9225531e50c8cddb62_arm64: oadp/oadp-velero-plugin-for-csi-rhel9@sha256:b4c014e340a80ad67b422eb1d72adce21b6 a01104ef6eb9225531e50c8cddb62_arm64.rpm 3:oadp/oadp-velero-plugin-for-csi-rhel9@sha256:bcd29d854e51b5a154d77134b78c6338c db638c58cd1548704f02dddec00c6e6_ppc64le: oadp/oadp-velero-plugin-for-csi-rhel9@sha256:bcd29d854e51b5a154d77134b78c6338cdb 638c58cd1548704f02dddec00c6e6_ppc64le.rpm 3:oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:1e1f9e277ceeed8be865abd424747a2a7 77806cde2195599e4ea9f0e787ad359_arm64: oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:1e1f9e277ceeed8be865abd424747a2a777 806cde2195599e4ea9f0e787ad359_arm64.rpm 3:oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:4a4aeb844a7f119253763012771abce64 9f8b7bbdcb326f4714e72d1e318b33a_s390x: oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:4a4aeb844a7f119253763012771abce649f 8b7bbdcb326f4714e72d1e318b33a_s390x.rpm 3:oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:b80b98a43c128ff17e8ba9eb80622d01c 280d5ddba66e67de85cb73e415a5a8d_ppc64le: oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:b80b98a43c128ff17e8ba9eb80622d01c28 0d5ddba66e67de85cb73e415a5a8d_ppc64le.rpm 3:oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:fd56ce05bbd9c6786923df9ee34efe4f6 b7d1bde979705cfcd7b4d30bbc1dca1_amd64: oadp/oadp-velero-plugin-for-gcp-rhel9@sha256:fd56ce05bbd9c6786923df9ee34efe4f6b7 d1bde979705cfcd7b4d30bbc1dca1_amd64.rpm 3:oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:24f6efdc0e3964ab1efee 6e053551614de282e6bed90e9d14273cf284b20c307_amd64: oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:24f6efdc0e3964ab1efee6e 053551614de282e6bed90e9d14273cf284b20c307_amd64.rpm 3:oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:7f474a4831a010dc097de 146c728538d5e8504305afd1dee08d41c2283ba30ef_s390x: oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:7f474a4831a010dc097de14 6c728538d5e8504305afd1dee08d41c2283ba30ef_s390x.rpm 3:oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:a6b9816bbba897897f632 c119579f7101a4b9c72fc2a2a86e917bc47fabded1d_ppc64le: oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:a6b9816bbba897897f632c1 19579f7101a4b9c72fc2a2a86e917bc47fabded1d_ppc64le.rpm 3:oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:fb7f2faab19f9386d10b7 bde2395ce8cdd24e4a8dbb4ee8f052586785ac74063_arm64: oadp/oadp-velero-plugin-for-microsoft-azure-rhel9@sha256:fb7f2faab19f9386d10b7bd e2395ce8cdd24e4a8dbb4ee8f052586785ac74063_arm64.rpm 3:oadp/oadp-velero-plugin-rhel9@sha256:4df78ca988726cc65fba06f8c3d8fcd13fa324ea0 4a036aaa7177cc17695e6bf_s390x: oadp/oadp-velero-plugin-rhel9@sha256:4df78ca988726cc65fba06f8c3d8fcd13fa324ea04a 036aaa7177cc17695e6bf_s390x.rpm 3:oadp/oadp-velero-plugin-rhel9@sha256:60e958b76093fd05be6d93785f709338c66e95a86 551dd317242e25b954a6c55_amd64: oadp/oadp-velero-plugin-rhel9@sha256:60e958b76093fd05be6d93785f709338c66e95a8655 1dd317242e25b954a6c55_amd64.rpm 3:oadp/oadp-velero-plugin-rhel9@sha256:98d78b8dcc1a7cda1a4845c40a9799018cdbc7784 6ea530ac9bbf88c86a9c209_arm64: oadp/oadp-velero-plugin-rhel9@sha256:98d78b8dcc1a7cda1a4845c40a9799018cdbc77846e a530ac9bbf88c86a9c209_arm64.rpm 3:oadp/oadp-velero-plugin-rhel9@sha256:eee8a3d43761e95adb3288512c5598a723ca5e7d9 85470ee202797b863618522_ppc64le: oadp/oadp-velero-plugin-rhel9@sha256:eee8a3d43761e95adb3288512c5598a723ca5e7d985 470ee202797b863618522_ppc64le.rpm 3:oadp/oadp-velero-restic-restore-helper-rhel9@sha256:0b8e9b27c4739840c054d6c726 0a268ae925ad404c04b74c1a543efeb84679db_arm64: oadp/oadp-velero-restic-restore-helper-rhel9@sha256:0b8e9b27c4739840c054d6c7260a 268ae925ad404c04b74c1a543efeb84679db_arm64.rpm 3:oadp/oadp-velero-restic-restore-helper-rhel9@sha256:6037459145f67f201c49ebd87e 82717bf8acc8c6118468038a0a040e3994ca75_s390x: oadp/oadp-velero-restic-restore-helper-rhel9@sha256:6037459145f67f201c49ebd87e82 717bf8acc8c6118468038a0a040e3994ca75_s390x.rpm 3:oadp/oadp-velero-restic-restore-helper-rhel9@sha256:c9d88e0b4a3b15665a6c55a406 174bc905c3ba0d18a9b9496923884c8d1b0176_amd64: oadp/oadp-velero-restic-restore-helper-rhel9@sha256:c9d88e0b4a3b15665a6c55a40617 4bc905c3ba0d18a9b9496923884c8d1b0176_amd64.rpm 3:oadp/oadp-velero-restic-restore-helper-rhel9@sha256:d0eefa6d731af31e2910b7af4c 250dd6d7e91be0cef03d9d65aa130957094990_ppc64le: oadp/oadp-velero-restic-restore-helper-rhel9@sha256:d0eefa6d731af31e2910b7af4c25 0dd6d7e91be0cef03d9d65aa130957094990_ppc64le.rpm 7. References: https://access.redhat.com/security/cve/CVE-2023-39326 https://access.redhat.com/security/cve/CVE-2023-45142 https://access.redhat.com/security/cve/CVE-2023-45287 https://access.redhat.com/security/cve/CVE-2023-48795 https://access.redhat.com/security/cve/CVE-2024-24786 https://access.redhat.com/security/cve/CVE-2024-28180 https://access.redhat.com/security/updates/classification/#moderate - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================