Red Hat Product Errata RHSA-2023:6115 - Security Advisory
Issued:
2023-10-25
Updated:
2023-10-25

RHSA-2023:6115 - Security Advisory

Synopsis

Important: OpenShift API for Data Protection security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for OADP-1.1-RHEL-8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
  • golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
  • golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)
  • golang: html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318)
  • golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)
  • golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)
  • golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • OpenShift API for Data Protection 1 for RHEL 8 x86_64

Fixes

  • BZ - 2222167 - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
  • BZ - 2228743 - CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
  • BZ - 2237773 - CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts
  • BZ - 2237776 - CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts
  • BZ - 2237777 - CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections
  • BZ - 2237778 - CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake
  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

ppc64le

oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:a107558ebc95b2d1c57a3571491bbf6ec88921ca8e6e45419dbec9bf47d505b9
oadp/oadp-mustgather-rhel8@sha256:f4db0cbe93b098c3e73e65bf83cdd73214e6eb9894a5d1d42d0f5fd58162a750
oadp/oadp-operator-bundle@sha256:7381cf4462e525945055a1b2b0bf168d469d2bd3f67bb10f6c8cb13e58fa9569
oadp/oadp-rhel8-operator@sha256:0f7a9f47f67af388ebebb7ef28a775857ac37d35e234ee228a4ea25bfc64c3e3
oadp/oadp-velero-plugin-for-aws-rhel8@sha256:ec6dd5b1b4a9382b86ae970240e25f11a4eb8e2ba42a2f6f727a984cf79f0cdb
oadp/oadp-velero-plugin-for-csi-rhel8@sha256:9535d60aeca08fbcb35f5ddecc455fbf8fd240b185b0359fcf15db088beed93b
oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:c8e99a08d99db02bb8a5f3fde5ff77108b4699fa710c12b257e411e1f3014f7b
oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:209ccbbf81de2154f620e3dc690a053d7110bc805fc148cff668bcab43674894
oadp/oadp-velero-plugin-rhel8@sha256:c2e022362052875f262fc082268fe1093d1a7a60aa51479b05346f5fc857864c
oadp/oadp-velero-restic-restore-helper-rhel8@sha256:27b11e8db2a414fdbc1cf7d0844db973f3f23c2d47af1c6890f42b1e7627efda
oadp/oadp-velero-rhel8@sha256:12379906744bbe5df4574415a81fa2a2d79e42317cf72c168e5ee05380d2c412
oadp/oadp-volume-snapshot-mover-rhel8@sha256:8abfd51f73690022c8e646ffe9a30f8b8e135c56eb67348a4bc0c2cfedbea29c

s390x

oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:ca91eab699f97705c3e696150446582caab5b97db9230c0a2a7d0b9e09a7c571
oadp/oadp-mustgather-rhel8@sha256:2d68a7b0030a673d88d59d712352614f136704fc95a5523484eea11eeeb76619
oadp/oadp-operator-bundle@sha256:f6e549d662f01f8ccf0c1ab9016b1aadcd417096bc49133a536292c55049c13a
oadp/oadp-rhel8-operator@sha256:2d3e387f50011ea9496e7524624100afb1e5eb9aeb220c971ac850e3d3fb3ecd
oadp/oadp-velero-plugin-for-aws-rhel8@sha256:fbef5cf169028b7e2c16c00ab699bcdb5733e2368ead683639495c2c584e08d7
oadp/oadp-velero-plugin-for-csi-rhel8@sha256:a68d39f20190d5dd35cb799b02ad3ff4fdaf52ab22f7785ba4be4d20c95a09af
oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:7933617816babdf5e6da973b7ffbf54a2c280a66fc6a9861e2dc731f01043d80
oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:7b4c2fbf7ae8c859bfc976a1e07ef02e430792b16f36fd7fe9e447c7427d5003
oadp/oadp-velero-plugin-rhel8@sha256:c521866aa8677b189bfe5b07f38b640e5fe5f392bcf6af9a25cda0daab393cd9
oadp/oadp-velero-restic-restore-helper-rhel8@sha256:7466b02853935e62195da737dc4dc1e7776537a330b943feb971d9b0aab01a5b
oadp/oadp-velero-rhel8@sha256:19772d059d2f70b59c21f01b8cdb34736dd835a695586e74234785b577abbf74
oadp/oadp-volume-snapshot-mover-rhel8@sha256:7cc9fc024056ca5e857a6135bd99607d14eef47426eea87286f4e33f0751fcbd

x86_64

oadp/oadp-kubevirt-velero-plugin-rhel8@sha256:1d9eb04551c7629c1c955a83f56c9950af52cf507a960673fbbb71bc53a45d42
oadp/oadp-mustgather-rhel8@sha256:d2ea8cc469b9bc2cb99dc81ef1c8c043ef7d4c320b588f7bf1e221807767a21c
oadp/oadp-operator-bundle@sha256:a709259c3a6d923485ed217e9dd74f11c02a32c113f017ebbd8c49d60c83c47b
oadp/oadp-rhel8-operator@sha256:bf0607d865944a9011852bcbd92d2f289f4086aba2186331ab4a65c7bd065604
oadp/oadp-velero-plugin-for-aws-rhel8@sha256:9bc0630106402a86da33e4a21c5d64c6379125f6a446519f5a659ba1ed110b76
oadp/oadp-velero-plugin-for-csi-rhel8@sha256:57e64b3f70a5d06d68b2dfa3dfd329474ee39354e1ff3730742ae5869ffe9242
oadp/oadp-velero-plugin-for-gcp-rhel8@sha256:4a509a9562f941a6eb85e29db424080204172cfcee21b2cbbe066efb5c60198c
oadp/oadp-velero-plugin-for-microsoft-azure-rhel8@sha256:7bc516a3dc31d5675989c253dfc5d4f5b6e5675ed0dcd99aeabcf45748cfb82a
oadp/oadp-velero-plugin-rhel8@sha256:569d29f6abf7e47afa87dc786028dd1b3b25c703f03bb72f0cdb56fa9fd8322e
oadp/oadp-velero-restic-restore-helper-rhel8@sha256:2ced4f24ae6649bdeda3d075841b77c2171193e882c5559ec1d6f3cad6f94a8b
oadp/oadp-velero-rhel8@sha256:f1d013a16cc4ef007406323214d6e72b2a09ce9f38326df50497a2425e3a66b2
oadp/oadp-volume-snapshot-mover-rhel8@sha256:0e4b9f532f0ae2242b50ce34be7b7f5df6986c19ff126198a7b6aca4f8661d4a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.