RedHat: RHSA-2022-6290:01 Moderate: OpenShift API for Data Protecti...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.1.0 security and bug fix update
Advisory ID:       RHSA-2022:6290-01
Product:           OpenShift API for Data Protection
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6290
Issue date:        2022-09-01
CVE Names:         CVE-2021-3634 CVE-2021-40528 CVE-2022-1271 
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-2068 
                   CVE-2022-2097 CVE-2022-21698 CVE-2022-24675 
                   CVE-2022-25313 CVE-2022-25314 CVE-2022-26691 
                   CVE-2022-28327 CVE-2022-29154 CVE-2022-29824 
                   CVE-2022-30629 CVE-2022-30631 CVE-2022-32206 
                   CVE-2022-32208 
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.1.0 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

OADP-145 - Restic Restore stuck on InProgress status when app is deployed with DeploymentConfig
OADP-154 - Ensure support for backing up resources based on different label selectors
OADP-194 - Remove the registry dependency from OADP
OADP-199 - Enable support for restore of existing resources
OADP-224 - Restore silently ignore resources if they exist - restore log not updated
OADP-225 - Restore doesn't update velero.io/backup-name when a resource is updated
OADP-234 - Implementation of incremental restore
OADP-324 - Add label to Expired backups failing garbage collection
OADP-382 - 1.1: Update downstream OLM channels to support different x and y-stream releases
OADP-422 - [GCP] An attempt of snapshoting volumes on CSI storageclass using Velero-native snapshots fails because it's unable to find the zone
OADP-423 - CSI Backup is not blocked and does not wait for snapshot to complete
OADP-478 - volumesnapshotcontent cannot be deleted; SnapshotDeleteError Failed to delete snapshot
OADP-528 - The volumesnapshotcontent is not removed for the synced backup
OADP-533 - OADP Backup via Ceph CSI snapshot hangs indefinitely on OpenShift v4.10
OADP-538 - typo on noDefaultBackupLocation error on DPA CR
OADP-552 - Validate OADP with 4.11 and Pod Security Admissions
OADP-558 - Empty Failed Backup CRs can't be removed
OADP-585 - OADP 1.0.3: CSI functionality is broken on OCP 4.11 due to missing v1beta1 API version
OADP-586 - registry deployment still exists on 1.1 build, and the registry pod gets recreated endlessly
OADP-592 - OADP must-gather add support for insecure tls
OADP-597 - BSL validation logs 
OADP-598 - Data mover performance on backup blocks backup process
OADP-599 - [Data Mover] Datamover Restic secret cannot be configured per bsl 
OADP-600 - Operator should validate volsync installation and raise warning if data mover is enabled
OADP-602 - Support GCP for openshift-velero-plugin registry
OADP-605 - [OCP 4.11] CSI restore fails with admission webhook \"volumesnapshotclasses.snapshot.storage.k8s.io\" denied
OADP-607 - DataMover: VSB is stuck on SnapshotBackupDone
OADP-610 - Data mover fails if a stale volumesnapshot exists in application namespace
OADP-613 - DataMover: upstream documentation refers wrong CRs 
OADP-637 - Restic backup fails with CA certificate
OADP-643 - [Data Mover] VSB and VSR names are not unique
OADP-644 - VolumeSnapshotBackup and VolumeSnapshotRestore timeouts should be configurable
OADP-648 - Remove default limits for velero and restic pods
OADP-652 - Data mover VolSync pod errors with Noobaa
OADP-655 - DataMover: volsync-dst-vsr pod completes although not all items where restored in the namespace 
OADP-660 - Data mover restic secret does not support Azure
OADP-698 - DataMover: volume-snapshot-mover pod points to upstream image
OADP-715 - Restic restore fails: restic-wait container continuously fails with "Not found: /restores//.velero/"
OADP-716 - Incremental restore: second restore of a namespace partially fails
OADP-736 - Data mover VSB always fails with volsync 0.5

6. References:

https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-26691
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYxA0ftzjgjWX9erEAQgcZBAAhpl5yhUlRDVqai0DF0VUbpNENP0oqAEU
nSI4eOGm66Y8d2Qtymae3HwiP8Fa+FIg+QLlQqJaLSPRpttv1kxmB7vL2fzcDyQ2
6VKUFLV9Lo9oSUqfAlvO8rbSWMvvickV3kTYC+HDgz5/Y3C2JKA1wlhn/5548Iq0
syHaj/sLw3lYK9AsQDrgN+FWFnNgUsqPmb5WmgQ3HoYP4Ksq1jpcnWAtqkNl7eT4
IeBAl1B8+I5l4eDj20HJyaGh5h37loCLW1NhcVeoqrwqnkWKVXcbXeYanEoRGCya
Y38JtNmFlNLjQ69sWoyLonDqKdNQmnbhWRYzRjQF7nGAB+STG9uJ1e1e75T4IoD7
m0gMS30vjC9rqV455m8sOeDwNf+1rPAXmgC5QR1mEavd1LphlHkO56a+j4aPVPGV
V/ItM94tAuFvdkL7ZPRMxNux0CMzkBtvEeh3wbUXWF1UKw6ew8yhLHoUevCI2paT
ggXr3kbBV5yAKgT/+c6TRGYiI66pV1RjCOpE/tJYYpiNhq2dhxjpm0e9RRxLtoTK
EazQq5tWEYDqNcY2LmXIAwgnIhygqy6HXVBI04rqdI4WKgHPtnp8vfSNaArfSCUP
kC85ROZc6ZTBOPVWEBT34Y64lPO37jzXhuvvytOmOtUJbuWn4XFl9rRswRnv/yKU
Rl4NtEV1XHs=
=zaXV
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6290:01 Moderate: OpenShift API for Data Protection

OpenShift API for Data Protection (OADP) 1.1.0 is now available

Summary

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
Security Fix(es) from Bugzilla:
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-26691 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:6290-01
Product: OpenShift API for Data Protection
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6290
Issued Date: : 2022-09-01
CVE Names: CVE-2021-3634 CVE-2021-40528 CVE-2022-1271 CVE-2022-1292 CVE-2022-1586 CVE-2022-2068 CVE-2022-2097 CVE-2022-21698 CVE-2022-24675 CVE-2022-25313 CVE-2022-25314 CVE-2022-26691 CVE-2022-28327 CVE-2022-29154 CVE-2022-29824 CVE-2022-30629 CVE-2022-30631 CVE-2022-32206 CVE-2022-32208

Topic

OpenShift API for Data Protection (OADP) 1.1.0 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

OADP-145 - Restic Restore stuck on InProgress status when app is deployed with DeploymentConfig

OADP-154 - Ensure support for backing up resources based on different label selectors

OADP-194 - Remove the registry dependency from OADP

OADP-199 - Enable support for restore of existing resources

OADP-224 - Restore silently ignore resources if they exist - restore log not updated

OADP-225 - Restore doesn't update velero.io/backup-name when a resource is updated

OADP-234 - Implementation of incremental restore

OADP-324 - Add label to Expired backups failing garbage collection

OADP-382 - 1.1: Update downstream OLM channels to support different x and y-stream releases

OADP-422 - [GCP] An attempt of snapshoting volumes on CSI storageclass using Velero-native snapshots fails because it's unable to find the zone

OADP-423 - CSI Backup is not blocked and does not wait for snapshot to complete

OADP-478 - volumesnapshotcontent cannot be deleted; SnapshotDeleteError Failed to delete snapshot

OADP-528 - The volumesnapshotcontent is not removed for the synced backup

OADP-533 - OADP Backup via Ceph CSI snapshot hangs indefinitely on OpenShift v4.10

OADP-538 - typo on noDefaultBackupLocation error on DPA CR

OADP-552 - Validate OADP with 4.11 and Pod Security Admissions

OADP-558 - Empty Failed Backup CRs can't be removed

OADP-585 - OADP 1.0.3: CSI functionality is broken on OCP 4.11 due to missing v1beta1 API version

OADP-586 - registry deployment still exists on 1.1 build, and the registry pod gets recreated endlessly

OADP-592 - OADP must-gather add support for insecure tls

OADP-597 - BSL validation logs

OADP-598 - Data mover performance on backup blocks backup process

OADP-599 - [Data Mover] Datamover Restic secret cannot be configured per bsl

OADP-600 - Operator should validate volsync installation and raise warning if data mover is enabled

OADP-602 - Support GCP for openshift-velero-plugin registry

OADP-605 - [OCP 4.11] CSI restore fails with admission webhook \"volumesnapshotclasses.snapshot.storage.k8s.io\" denied

OADP-607 - DataMover: VSB is stuck on SnapshotBackupDone

OADP-610 - Data mover fails if a stale volumesnapshot exists in application namespace

OADP-613 - DataMover: upstream documentation refers wrong CRs

OADP-637 - Restic backup fails with CA certificate

OADP-643 - [Data Mover] VSB and VSR names are not unique

OADP-644 - VolumeSnapshotBackup and VolumeSnapshotRestore timeouts should be configurable

OADP-648 - Remove default limits for velero and restic pods

OADP-652 - Data mover VolSync pod errors with Noobaa

OADP-655 - DataMover: volsync-dst-vsr pod completes although not all items where restored in the namespace

OADP-660 - Data mover restic secret does not support Azure

OADP-698 - DataMover: volume-snapshot-mover pod points to upstream image

OADP-715 - Restic restore fails: restic-wait container continuously fails with "Not found: /restores//.velero/"

OADP-716 - Incremental restore: second restore of a namespace partially fails

OADP-736 - Data mover VSB always fails with volsync 0.5

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.