Red Hat 9041 Published by

An OpenShift API for Data Protection (OADP) 1.1.2 security and bug fix update has been released.



RHSA-2023:1174-01: Moderate: OpenShift API for Data Protection (OADP) 1.1.2 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift API for Data Protection (OADP) 1.1.2 security and bug fix update
Advisory ID: RHSA-2023:1174-01
Product: OpenShift API for Data Protection
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:1174
Issue date: 2023-03-09
CVE Names: CVE-2021-46848 CVE-2022-1122 CVE-2022-1304
CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
CVE-2022-2519 CVE-2022-2520 CVE-2022-2521
CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
CVE-2022-2879 CVE-2022-2880 CVE-2022-2953
CVE-2022-4415 CVE-2022-4883 CVE-2022-22624
CVE-2022-22628 CVE-2022-22629 CVE-2022-22662
CVE-2022-25308 CVE-2022-25309 CVE-2022-25310
CVE-2022-26700 CVE-2022-26709 CVE-2022-26710
CVE-2022-26716 CVE-2022-26717 CVE-2022-26719
CVE-2022-27404 CVE-2022-27405 CVE-2022-27406
CVE-2022-30293 CVE-2022-35737 CVE-2022-40303
CVE-2022-40304 CVE-2022-41715 CVE-2022-41717
CVE-2022-42010 CVE-2022-42011 CVE-2022-42012
CVE-2022-42898 CVE-2022-43680 CVE-2022-44617
CVE-2022-46285 CVE-2022-47629 CVE-2022-48303
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.1.2 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)

* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)

* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (  https://issues.jboss.org/):

OADP-1056 - DPA fails validation if multiple BSLs have the same provider
OADP-1150 - Handle docker env config changes in the oadp-operator
OADP-1217 - update velero + restic to 1.9.5
OADP-1256 - Backup stays in progress status after restic pod is restarted due to OOM killed
OADP-1289 - Restore partially fails with error "Secrets \"deployer-token-rrjqx\" not found"
OADP-290 - Remove creation/usage of velero-privileged SCC

6. References:

  https://access.redhat.com/security/cve/CVE-2021-46848
  https://access.redhat.com/security/cve/CVE-2022-1122
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-2056
  https://access.redhat.com/security/cve/CVE-2022-2057
  https://access.redhat.com/security/cve/CVE-2022-2058
  https://access.redhat.com/security/cve/CVE-2022-2519
  https://access.redhat.com/security/cve/CVE-2022-2520
  https://access.redhat.com/security/cve/CVE-2022-2521
  https://access.redhat.com/security/cve/CVE-2022-2867
  https://access.redhat.com/security/cve/CVE-2022-2868
  https://access.redhat.com/security/cve/CVE-2022-2869
  https://access.redhat.com/security/cve/CVE-2022-2879
  https://access.redhat.com/security/cve/CVE-2022-2880
  https://access.redhat.com/security/cve/CVE-2022-2953
  https://access.redhat.com/security/cve/CVE-2022-4415
  https://access.redhat.com/security/cve/CVE-2022-4883
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-25308
  https://access.redhat.com/security/cve/CVE-2022-25309
  https://access.redhat.com/security/cve/CVE-2022-25310
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27404
  https://access.redhat.com/security/cve/CVE-2022-27405
  https://access.redhat.com/security/cve/CVE-2022-27406
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-35737
  https://access.redhat.com/security/cve/CVE-2022-40303
  https://access.redhat.com/security/cve/CVE-2022-40304
  https://access.redhat.com/security/cve/CVE-2022-41715
  https://access.redhat.com/security/cve/CVE-2022-41717
  https://access.redhat.com/security/cve/CVE-2022-42010
  https://access.redhat.com/security/cve/CVE-2022-42011
  https://access.redhat.com/security/cve/CVE-2022-42012
  https://access.redhat.com/security/cve/CVE-2022-42898
  https://access.redhat.com/security/cve/CVE-2022-43680
  https://access.redhat.com/security/cve/CVE-2022-44617
  https://access.redhat.com/security/cve/CVE-2022-46285
  https://access.redhat.com/security/cve/CVE-2022-47629
  https://access.redhat.com/security/cve/CVE-2022-48303
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.