Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.
Security Fix(es):
goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)
decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
vault: Hashicorp Vault AWS IAM Integration Authentication Bypass (CVE-2020-16250)
vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
go-yaml: Denial of Service in go-yaml (CVE-2021-4235)
vault: incorrect policy enforcement (CVE-2021-43998)
nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)
nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)
nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)
golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass (CVE-2022-23540)
jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
consul: Consul Template May Expose Vault Secrets When Processing Invalid Input (CVE-2022-38149)
vault: insufficient certificate revocation list checking (CVE-2022-41316)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620)
hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665)
Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation (CVE-2023-24999)
hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000)
validator: Inefficient Regular Expression Complexity in Validator.js (CVE-2021-3765)
nodejs: Prototype pollution via console.table properties (CVE-2022-21824)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.