Topic

https://access.redhat.com/security/updates/classification/ Moderate csaf_security_advisory 2.0 Copyright © Red Hat, Inc. All rights reserved. WHITE https://www.first.org/tlp/ en summary Updated packages that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.11.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Topic general Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772) * golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): These updated packages include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes: https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.11/html/4.11_release_notes/index All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated packages, which provide numerous bug fixes and enhancements. Details legal_disclaimer This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Terms of Use vendor https://access.redhat.com/security/team/contact/ Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services. Red Hat Product Security https://www.redhat.com self

https://access.redhat.com/errata/RHSA-2022:6155

https://access.redhat.com/errata/RHSA-2022:6155 external

https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.11/html/4.11_release_notes/index

https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.11/html/4.11_release_notes/index external

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/security/updates/classification/#moderate external

2027849

https://bugzilla.redhat.com/show_bug.cgi?id=2027849 external

2053532

https://bugzilla.redhat.com/show_bug.cgi?id=2053532 external

2077688

https://bugzilla.redhat.com/show_bug.cgi?id=2077688 external

2077689

https://bugzilla.redhat.com/show_bug.cgi?id=2077689 self

Canonical URL

https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6155.json Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement & bugfix update 2026-04-01T18:53:12+00:00 2026-04-01T18:53:12+00:00 Red Hat SDEngine 4.7.4 RHSA-2022:6155 2022-08-24T13:43:53+00:00 2022-08-24T13:43:53+00:00 1

Initial version

2022-08-24T13:43:53+00:00 2

Last updated version

2026-04-01T18:53:12+00:00 3

Last generated version

final 3 product_name RHODF 4.11 for RHEL 8 RHODF 4.11 for RHEL 8 8Base-RHODF-4.11 cpe:/a:redhat:openshift_data_foundation:4.11::el8 product_family Red Hat OpenShift Data Foundation product_version mcg-0:5.11.0-22.el8.src mcg-0:5.11.0-22.el8.src mcg-0:5.11.0-22.el8.src pkg:rpm/redhat/mcg@5.11.0-22.el8?arch=src architecture src product_version mcg-0:5.11.0-22.el8.x86_64 mcg-0:5.11.0-22.el8.x86_64 mcg-0:5.11.0-22.el8.x86_64 pkg:rpm/redhat/mcg@5.11.0-22.el8?arch=x86_64 product_version mcg-redistributable-0:5.11.0-22.el8.x86_64 mcg-redistributable-0:5.11.0-22.el8.x86_64 mcg-redistributable-0:5.11.0-22.el8.x86_64 pkg:rpm/redhat/mcg-redistributable@5.11.0-22.el8?arch=x86_64 architecture x86_64 product_version mcg-0:5.11.0-22.el8.ppc64le mcg-0:5.11.0-22.el8.ppc64le mcg-0:5.11.0-22.el8.ppc64le pkg:rpm/redhat/mcg@5.11.0-22.el8?arch=ppc64le architecture ppc64le product_version mcg-0:5.11.0-22.el8.s390x mcg-0:5.11.0-22.el8.s390x mcg-0:5.11.0-22.el8.s390x pkg:rpm/redhat/mcg@5.11.0-22.el8?arch=s390x architecture s390x vendor Red Hat default_component_of mcg-0:5.11.0-22.el8.ppc64le as a component of RHODF 4.11 for RHEL 8 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.ppc64le mcg-0:5.11.0-22.el8.ppc64le 8Base-RHODF-4.11 default_component_of mcg-0:5.11.0-22.el8.s390x as a component of RHODF 4.11 for RHEL 8 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.s390x mcg-0:5.11.0-22.el8.s390x 8Base-RHODF-4.11 default_component_of mcg-0:5.11.0-22.el8.src as a component of RHODF 4.11 for RHEL 8 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.src mcg-0:5.11.0-22.el8.src 8Base-RHODF-4.11 default_component_of mcg-0:5.11.0-22.el8.x86_64 as a component of RHODF 4.11 for RHEL 8 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.x86_64 mcg-0:5.11.0-22.el8.x86_64 8Base-RHODF-4.11 default_component_of mcg-redistributable-0:5.11.0-22.el8.x86_64 as a component of RHODF 4.11 for RHEL 8 8Base-RHODF-4.11:mcg-redistributable-0:5.11.0-22.el8.x86_64 mcg-redistributable-0:5.11.0-22.el8.x86_64 8Base-RHODF-4.11 CVE-2022-23772 CWE-190 Integer Overflow or Wraparound 2022-02-11T00:00:00+00:00 Red Hat Bugzilla ID 2053532 description A flaw was found in the big package of the math library in golang. The Rat.SetString could cause an overflow, and if left unhandled, it could lead to excessive memory use. This issue could allow a remote attacker to impact the availability of the system. Vulnerability description summary golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString Vulnerability summary other Red Hat Enterprise Linux 8 and 9 are affected, because the code-base is affected by this vulnerability. Red Hat Product Security has rated this issue as having Moderate security impact, and the issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7, hence, marked as Out-of-Support-Scope. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle & Updates Policy: https://access.redhat.com/support/policy/updates/errata/. Statement general The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability. CVSS score applicability 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.ppc64le 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.s390x 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.src 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.x86_64 8Base-RHODF-4.11:mcg-redistributable-0:5.11.0-22.el8.x86_64 self

Canonical URL

https://access.redhat.com/security/cve/CVE-2022-23772 external

RHBZ#2053532

https://bugzilla.redhat.com/show_bug.cgi?id=2053532 external

https://www.cve.org/CVERecord?id=CVE-2022-23772

https://www.cve.org/CVERecord?id=CVE-2022-23772 external

https://nvd.nist.gov/vuln/detail/CVE-2022-23772

https://nvd.nist.gov/vuln/detail/CVE-2022-23772 external

https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ 2022-01-19T00:00:00+00:00 vendor_fix 2022-08-24T13:43:53+00:00

For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258

8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.ppc64le 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.s390x 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.src 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.x86_64 8Base-RHODF-4.11:mcg-redistributable-0:5.11.0-22.el8.x86_64 none https://access.redhat.com/errata/RHSA-2022:6155 LOW NETWORK HIGH 7.5 HIGH NONE NONE NONE UNCHANGED NONE CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.1 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.ppc64le 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.s390x 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.src 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.x86_64 8Base-RHODF-4.11:mcg-redistributable-0:5.11.0-22.el8.x86_64 impact

Moderate

golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString CVE-2022-24675 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 2022-04-21T00:00:00+00:00 Red Hat Bugzilla ID 2077688 description A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB), causing a stack overflow in Decode, which leads to a loss of availability. Vulnerability description summary golang: encoding/pem: fix stack overflow in Decode Vulnerability summary other Red Hat Enterprise Linux 7, 8 and 9 are affected, because the code-base is affected by this vulnerability. Red Hat Product Security has rated this issue as having Moderate security impact, and the issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7, hence, marked as Out-of-Support-Scope. Red Hat Developer Tools - Compilers (go-toolset-1.16-golang & go-toolset-1.17-golang), ships the vulnerable code and affected by this vulnerability. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle & Updates Policy: https://access.redhat.com/support/policy/updates/errata/. Statement general The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability. CVSS score applicability 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.ppc64le 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.s390x 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.src 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.x86_64 8Base-RHODF-4.11:mcg-redistributable-0:5.11.0-22.el8.x86_64 self

Canonical URL

https://access.redhat.com/security/cve/CVE-2022-24675 external

RHBZ#2077688

https://bugzilla.redhat.com/show_bug.cgi?id=2077688 external

https://www.cve.org/CVERecord?id=CVE-2022-24675

https://www.cve.org/CVERecord?id=CVE-2022-24675 external

https://nvd.nist.gov/vuln/detail/CVE-2022-24675

https://nvd.nist.gov/vuln/detail/CVE-2022-24675 external

https://groups.google.com/g/golang-announce/c/oecdBNLOml8

https://groups.google.com/g/golang-announce/c/oecdBNLOml8 2022-04-12T00:00:00+00:00 vendor_fix 2022-08-24T13:43:53+00:00

For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258

Moderate

golang: encoding/pem: fix stack overflow in Decode CVE-2022-28327 CWE-190 Integer Overflow or Wraparound 2022-04-21T00:00:00+00:00 Red Hat Bugzilla ID 2077689 description An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability. Vulnerability description summary golang: crypto/elliptic: panic caused by oversized scalar Vulnerability summary other A moderate severity flaw was found in Go’s crypto/elliptic package in the generic P-256 implementation. If a scalar input longer than 32 bytes is supplied, P256().ScalarMult or P256().ScalarBaseMult can panic, causing the application to crash. Indirect uses via crypto/ecdsa and crypto/tls are not affected. This issue impacts availability but does not affect confidentiality or integrity. Only certain platforms (non-amd64, non-arm64, non-ppc64le, non-s390x) may be affected. Red Hat Enterprise Linux 7, 8 and 9 are affected, because the code-base is affected by this vulnerability. Red Hat Product Security has rated this issue as having Moderate security impact, and the issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7, hence, marked as Out-of-Support-Scope. Red Hat Developer Tools - Compilers (go-toolset-1.16-golang & go-toolset-1.17-golang), ships the vulnerable code and affected by this vulnerability. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat Enterprise Linux Life Cycle & Updates Policy: https://access.redhat.com/support/policy/updates/errata/. Statement general The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability. CVSS score applicability 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.ppc64le 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.s390x 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.src 8Base-RHODF-4.11:mcg-0:5.11.0-22.el8.x86_64 8Base-RHODF-4.11:mcg-redistributable-0:5.11.0-22.el8.x86_64 self

Canonical URL

https://access.redhat.com/security/cve/CVE-2022-28327 external

RHBZ#2077689

https://bugzilla.redhat.com/show_bug.cgi?id=2077689 external

https://www.cve.org/CVERecord?id=CVE-2022-28327

https://www.cve.org/CVERecord?id=CVE-2022-28327 external

https://nvd.nist.gov/vuln/detail/CVE-2022-28327

https://nvd.nist.gov/vuln/detail/CVE-2022-28327 external

https://groups.google.com/g/golang-announce/c/oecdBNLOml8

https://groups.google.com/g/golang-announce/c/oecdBNLOml8 2022-04-12T00:00:00+00:00 vendor_fix 2022-08-24T13:43:53+00:00

For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258

Moderate

golang: crypto/elliptic: panic caused by oversized scalar