(RHSA-2023:3742) Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.

Security Fix(es):

• goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)

• decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)

• vault: Hashicorp Vault AWS IAM Integration Authentication Bypass (CVE-2020-16250)

• vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)

• nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)

• go-yaml: Denial of Service in go-yaml (CVE-2021-4235)

• vault: incorrect policy enforcement (CVE-2021-43998)

• nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)

• nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)

• nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)

• golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)

• golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

• nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

• jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass (CVE-2022-23540)

• jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)

• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

• golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)

• consul: Consul Template May Expose Vault Secrets When Processing Invalid Input (CVE-2022-38149)

• vault: insufficient certificate revocation list checking (CVE-2022-41316)

• golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

• golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

• net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

• golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

• golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

• json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)

• vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620)

• hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665)

• Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation (CVE-2023-24999)

• hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000)

• validator: Inefficient Regular Expression Complexity in Validator.js (CVE-2021-3765)

• nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.