CWE
89 20
Advisory Published

RHSA-2023:3742: Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

First published: Wed Jun 21 2023(Updated: )

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.<br>Security Fix(es):<br><li> goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)</li> <li> decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)</li> <li> vault: Hashicorp Vault AWS IAM Integration Authentication Bypass (CVE-2020-16250)</li> <li> vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)</li> <li> nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)</li> <li> go-yaml: Denial of Service in go-yaml (CVE-2021-4235)</li> <li> vault: incorrect policy enforcement (CVE-2021-43998)</li> <li> nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)</li> <li> nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)</li> <li> nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)</li> <li> golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)</li> <li> golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)</li> <li> nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)</li> <li> jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass (CVE-2022-23540)</li> <li> jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)</li> <li> golang: net/<a href="http:" target="_blank">http:</a> handle server errors after sending GOAWAY (CVE-2022-27664)</li> <li> golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)</li> <li> golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)</li> <li> consul: Consul Template May Expose Vault Secrets When Processing Invalid Input (CVE-2022-38149)</li> <li> vault: insufficient certificate revocation list checking (CVE-2022-41316)</li> <li> golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)</li> <li> golang: net/<a href="http:" target="_blank">http:</a> excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)</li> <li> net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)</li> <li> golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)</li> <li> golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)</li> <li> json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)</li> <li> vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620)</li> <li> hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665)</li> <li> Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation (CVE-2023-24999)</li> <li> hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000)</li> <li> validator: Inefficient Regular Expression Complexity in Validator.js (CVE-2021-3765)</li> <li> nodejs: Prototype pollution via console.table properties (CVE-2022-21824)</li> <li> golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected SoftwareAffected VersionHow to fix

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203