Issued:: 2025-03-25
Updated:: 2025-03-25

RHSA-2025:3172 - Security Advisory

Overview
Updated Images

Synopsis

Important: VolSync 0.12.1 security fixes and enhancements for RHEL 9

Type/Severity

Security Advisory: Important

Topic

VolSync v0.12 general availability release images, which provide
enhancements, security fixes, and updated container images.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

Description

VolSync v0.12.1 is a Kubernetes operator that enables asynchronous
replication of persistent volumes within a cluster, or across clusters. After
deploying the VolSync operator, it can create and maintain copies of your
persistent data.

For more information about VolSync, see:

https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync

or the VolSync open source community website at:
https://volsync.readthedocs.io/en/stable/

This advisory contains enhancements and updates to the VolSync
container images.

Security fix(es):

golang.org/x/oauth2: Unexpected memory consumption during token parsing in

golang.org/x/oauth2 (CVE-2025-22868)

golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of

golang.org/x/crypto/ssh (CVE-2025-22869)

Solution

For more details, see the Red Hat Advanced Cluster Management for Kubernetes
documentation:

https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync

Affected Products

Red Hat Advanced Cluster Management for Kubernetes 2 for RHEL 9 x86_64

Fixes

BZ - 2348366 - CVE-2025-22868 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
BZ - 2348367 - CVE-2025-22869 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
HYPBLD-617 - Release v0.12.1 of VolSync
ACM-19030 - Release VolSync v0.12.1

CVEs

References

https://access.redhat.com/security/updates/classification/#important

aarch64

rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72

ppc64le

rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283

s390x

rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13

x86_64

rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515

rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Ansible.com

Red Hat Ecosystem Catalog

Red Hat Hybrid Cloud Console

Red Hat Store

Red Hat Summit and AnsibleFest