RHSA-2023:7555 - Security Advisory

Topic

OpenShift API for Data Protection (OADP) 1.3.0 is now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fix(es):

• golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
• HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
• opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• OpenShift API for Data Protection 1 for RHEL 9 x86_64
• OpenShift API for Data Protection for ARM 64 1 for RHEL 9 aarch64
• OpenShift API for Data Protection for IBM Power, little endian 1 for RHEL 9 ppc64le
• OpenShift API for Data Protection for IBM Z and LinuxONE 1 for RHEL 9 s390x

Fixes

• BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
• BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
• BZ - 2245180 - CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp
• OADP-2308 - Possible pod volume backup failure if velero is installed in multiple namespaces
• OADP-2360 - [Upstream] Kopia backup failing for mysql application
• OADP-2688 - OADP-1.3.0: Restic restore is partially failing due to Pod Security standard
• OADP-2680 - [Upstream] Kopia - Failed to restore more than 11 PVs
• OADP-2696 - [Upstream] Node agent pod has an additional log entry related to "PodVolumeBackup starting" after its marked as completed
• OADP-2774 - [Upstream] kopia backup failed when Velero's policy not set to Kopia, exit on "ConcatenateObjects is not supported" on files larger then 2GB
• OADP-2790 - OADP support for datamover and block volumes
• OADP-2741 - [Upstream] DataMover: Cloned VolumeSnapshotContent remains in cluster when vsclass deletionPolicy set as Retain
• OADP-446 - VolumeSnapshot size can be different from PVC requested storage preventing restore
• OADP-2607 - (Dev) GCP WIF implementation
• OADP-2635 - (Dev) OADP built-in Data Mover Implementation
• OADP-2796 - Native datamover block volumes: Failed to run kopia backup: unable to get local block device entry: resolveSymlink: lstat /var/lib/kubelet: no such file or directory
• OADP-2819 - FIPS compliance validation for must-gather container is failing
• OADP-2856 - add migtools/kopia client binary to the oadp-must-gather container
• OADP-2686 - OADP-1.3.0: ACM cluster restore is broken due to restore order
• OADP-2862 - DPA bsl s3url config is trimmed when passed to BSL
• OADP-1167 - Performance issues when restoring 30k resources
• OADP-2679 - [Upstream] Datamover - Failed to complete restore , few datadownloads are stuck 'InProgress' status
• OADP-2717 - Restic Backup failed on 5k pods on sn , exit on " Podvolumebackups already exists, the server was not able to generate a unique name for the object
• OADP-2721 - [Upstream] Kopia Backup failed on 5k pods on sn , exit on " Podvolumebackups already exists, the server was not able to generate a unique name for the object.
• OADP-2450 - [Upstream] NativeDataMover: Backup stucks in phase WaitingForPluginOperations when Node Agent pod gets restarted
• OADP-2742 - NativeDataMover: Restore is getting stuck in waitingForPluginOpertions phase for the StatefulSet application
• OADP-2921 - Pods with volumes for fsbackup/restic chosen by annotation aren't restored
• OADP-2983 - Restore is partially failing with error "pod.BackupPlugin is not a restore item action"
• OADP-2681 - [Upstream] DataMover - datauploads and datadownloads resources aren't distributed equally among the workers.
• OADP-2959 - UI/UX improvements for the OADP operator
• OADP-3053 - Multiple BackupStorageLocations can be set as default
• OADP-3054 - DPA validation to ensure only one default, and if named "default" that must be default
• OADP-2981 - Manually verify openshift-virt w/ cirros

CVEs

• CVE-2023-39325
• CVE-2023-44487
• CVE-2023-45142

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/security/vulnerabilities/RHSB-2023-003