Red Hat Product Errata RHSA-2023:3918 - Security Advisory
Issued:
2023-06-29
Updated:
2023-06-29

RHSA-2023:3918 - Security Advisory

Synopsis

Important: OpenShift API for Data Protection (OADP) 1.1.5 security and bug fix update

Type/Severity

Security Advisory: Important

Topic

OpenShift API for Data Protection (OADP) 1.1.5 is now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fix(es):

  • golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)
  • net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
  • golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
  • golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
  • golang: go/parser: Infinite loop in parsing (CVE-2023-24537)
  • golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)
  • golang: html/template: improper sanitization of CSS values (CVE-2023-24539)
  • golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • OpenShift API for Data Protection 1 for RHEL 8 x86_64

Fixes

  • BZ - 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
  • BZ - 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
  • BZ - 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
  • BZ - 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
  • BZ - 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
  • BZ - 2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
  • BZ - 2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
  • BZ - 2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes

ppc64le

oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:232797593d0ea5323f913c902ac7bd25bbe1eacdb40b00deaf9bbcd9306bf4e9
oadp/oadp-mustgather-rhel8@sha256:b0215bed64f78192b9d7a8e4904efdbef9408296806d7fb6b86927b0cbd67a79
oadp/oadp-operator-bundle@sha256:91e02a2cd94a94354294e16b3a8495175907c9d07e1f7965febe1179d36c9940
oadp/oadp-rhel8-operator@sha256:36882e2b4183bd2d0e58acb59e49004db1c2accd1f4e6cc01dfc2ca10cbbda19
oadp/oadp-velero-plugin-for-aws-rhel8@sha256:a5702782be3fdf763b47c734d107d853c2b8f3f831c45d34dd686c19e2b295ff
oadp/oadp-velero-plugin-for-csi-rhel8@sha256:38e0bf9d9f589e93335d477e23fe2838ad2ef138472d66887d7343b720081c19
oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:195a154a41e6a7a4176475470aa1058e7ab171cb5ffd0c998009ac022ba810b2
oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:37d6701003b9e5f58795d85267d1ca1fd9687981abe784075d9c7ba5a7a036c5
oadp/oadp-velero-plugin-rhel8@sha256:17ae407841f29a5bbf3e72d25acc883150929ce91fc6384fc81e8d7977eecf42
oadp/oadp-velero-restic-restore-helper-rhel8@sha256:7e212da871132c319750a6513e9b98a836b6d670dfeeb0ca2050b0fe959bbb9e
oadp/oadp-velero-rhel8@sha256:b4ab733bfbf853bbac246530f1b4b0dafae2173ab93e32d1cebdd5b6c70dae29
oadp/oadp-volume-snapshot-mover-rhel8@sha256:72636e3e55f29a227092993151fba716f91d17812cd4b493cc2308823cbfb4a8

s390x

oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:aa58ca1500ddb603bc9f39eba981584cd38682eab092ce06ec951a078a3dc0a6
oadp/oadp-mustgather-rhel8@sha256:c0a9d5bbd97613ca2d26bd4315b55ffc6512fa429c0cdec5da77fe2fb8d254b9
oadp/oadp-operator-bundle@sha256:a3348b782dd897ef822bdf885db8c61e24278dde0520646e54270fec53d10f34
oadp/oadp-rhel8-operator@sha256:cdcb5d1b32410973779aed6cb760c016fe2035dbcae41dde6707045bbf4e97c6
oadp/oadp-velero-plugin-for-aws-rhel8@sha256:60a01a5762ea173f150f6ccd6f8bfd1f1e17aed1f4865f9161d0d06e3c490ca7
oadp/oadp-velero-plugin-for-csi-rhel8@sha256:2a8a8c64cb71f52559e53b9dddaeaee97b8067a7b2f996cde2e1ca2e14f25e55
oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:b3792c8e92add196de5d06cdd88eb8e9d02fcdb9ce15c1a9a362241018caf6db
oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:1b8f8b7b03f5dc4ca2fbeec13eb4b99e5bec1f09daf7b04c982ba1324611c6f3
oadp/oadp-velero-plugin-rhel8@sha256:2d58a2e20d7a0553ce843a6b43b2df1e7924d5b2cb19372a276ebde6644e8eb5
oadp/oadp-velero-restic-restore-helper-rhel8@sha256:66bee327e86ddae9b69e362e520278bd8cb6a8b7f9756c3a55faf76d02486ab1
oadp/oadp-velero-rhel8@sha256:e583bed08cbd7e36f0f7a66bd18c41b62d4062fdb5d43ec8e191d37ecf23be11
oadp/oadp-volume-snapshot-mover-rhel8@sha256:294903bf15035ffc5c4f9f4fc546079de344875068f1188ddfdd4b4e435d01bd

x86_64

oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:b5ac15e683479a1524dfa55db10a8c84e362e6734f0d82d62ce724dfd76779e2
oadp/oadp-mustgather-rhel8@sha256:83d13ab990fc72c63c51a008a13fe341a555dfaec96494d25f5b7cbd5a0eafb1
oadp/oadp-operator-bundle@sha256:174e673e1e9b09714ac89082c01e84bf9e77c7d52f65bbe3da156e4467ff6e07
oadp/oadp-rhel8-operator@sha256:5e9ef29577268fc0bafa30e84de8f79c5141df76eefe995da2a2a201a92e5aef
oadp/oadp-velero-plugin-for-aws-rhel8@sha256:3e4af775f289789e0dce2ac73c07d6d5a101c77970b5f70e88a4cff6e2fbc3dd
oadp/oadp-velero-plugin-for-csi-rhel8@sha256:37002fe133ff5853c97eb41e9d5e57dfb882f2b9150dfe945f965f78fbe3b1e4
oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:5e26431bc81545c21b1c3b87dd42e267773c4221213d478c04e0b8809559201c
oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:04c0ba8b1660eaa87f5e22291904b6e98442056270cfb134a243943742595e30
oadp/oadp-velero-plugin-rhel8@sha256:d695407dd931000091e7a19ea693608e99985c84bfae95a94d8d111313b8e542
oadp/oadp-velero-restic-restore-helper-rhel8@sha256:a8409a1d9a281711caae8d67d155a0aac5384f2ae736c3da728dc423b849b3fe
oadp/oadp-velero-rhel8@sha256:43c1b134f68e4b71f3a1a35769fb573a9c496ffc5ba188b13b97a52ee2ab8479
oadp/oadp-volume-snapshot-mover-rhel8@sha256:660e0ac7699c6c3ef59733bd3084bf0c8667e55bef1a36b13ee057fd4025bde7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.