Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM5847C6A43B9374608436806349F8DF60D26A6BD6AA1E53665DE28690D684C5FF
HistorySep 17, 2022 - 1:44 p.m.

Security Bulletin: Vulnerabilities in Golang Go and MinIO may affect IBM Spectrum Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30634, CVE-2022-35919, CVE-2022-31028)

2022-09-1713:44:52
www.ibm.com
121

0.002 Low

EPSS

Percentile

64.5%

JSON

Summary

Multiple vulnerabilities in Golang Go and MinIO may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift. Vulnerabilities include bypassing of security restrictions, execution of arbitrary code, obtaining sensitive information, denial of service, and directory traversal.

Vulnerability Details

CVEID:CVE-2022-29804
**DESCRIPTION:**Golang Go could allow a local attacker to bypass security restrictions, caused by a flaw in the filepath.Clean function. By sending a specially-crafted request, an attacker could exploit this vulnerability to convert an invalid path to a valid, absolute path.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229857 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2022-30580
**DESCRIPTION:**Golang Go could allow a local attacker to execute arbitrary code on the system, caused by a flaw when Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229858 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-30629
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by an issue with session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. By comparing ticket ages during session resumption, an attacker could exploit this vulnerability to observe TLS handshakes information to correlate successive connections.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-30634
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request using large buffers, a remote attacker could exploit this vulnerability to cause rand.Read to hang,a and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229860 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-35919
**DESCRIPTION:**MinIO could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user requests by the ServerUpdate API. An attacker could send a specially-crafted request to selectively trigger an error using the admin:ServerUpdate action and view arbitrary files that are readable by the MinIO process on the system.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232582 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)

CVEID:CVE-2022-31028
**DESCRIPTION:**MinIO is vulnerable to a denial of service, caused by an issue with an unending go-routine buildup while keeping connections established. By sending a specially-crafted request using anonymous HTTP clients, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes 10.1.5-10.1.11
IBM Spectrum Protect Plus Container Backup and Restore for Red Hat OpenShift 10.1.7-10.1.11

Remediation/Fixes

**IBM Spectrum Protect
Plus **Affected Versions|**Fixing
**Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
10.1.5-10.1.11 (Kubernetes)
10.1.7-10.1.11 (Red Hat OpenShift)| 10.1.12| Linux| https://www.ibm.com/support/pages/node/6603663

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm spectrum protect pluseq10.1

Related

suse 2
nessus 32
openvas 35
altlinux 2
freebsd 1
oraclelinux 6
cvelist 6
ibm 13
veracode 7
prion 6
cve 6
osv 20
alpinelinux 5
packetstorm 1
zdt 1
ubuntucve 4
debiancve 4
cbl_mariner 4
redhatcve 2
exploitdb 1
mageia 1
redhat 6
photon 5
almalinux 4
redos 1
amazon 2
fedora 22
suse
suse
Security update for go1.18 (important)
2022-06-07 00:00:00
Security update for go1.17 (important)
2022-06-07 00:00:00
nessus
nessus
SUSE SLED15 / SLES15 Security Update : go1.18 (SUSE-SU-2022:2005-1)
2022-06-08 00:00:00
SUSE SLED15 / SLES15 Security Update : go1.17 (SUSE-SU-2022:2004-1)
2022-06-08 00:00:00
FreeBSD : go -- multiple vulnerabilities (15888c7e-e659-11ec-b7fe-10c37b4ac2ea)
2022-06-07 00:00:00
openvas
openvas
openSUSE: Security Advisory for go1.18 (SUSE-SU-2022:2005-1)
2022-06-08 00:00:00
openSUSE: Security Advisory for go1.17 (SUSE-SU-2022:2004-1)
2022-06-08 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:2004-1)
2022-06-08 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.18.3-alt1
2022-06-12 00:00:00
Security fix for the ALT Linux 10 package golang version 1.17.11-alt1.p10
2022-06-14 00:00:00
freebsd
freebsd
go -- multiple vulnerabilities
2022-06-01 00:00:00
oraclelinux
oraclelinux
ol8addon security update
2022-07-12 00:00:00
go-toolset:ol8addon security update
2022-07-12 00:00:00
buildah security and bug fix update
2023-05-15 00:00:00
cvelist
cvelist
CVE-2022-31028 Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO
2022-06-03 14:40:11
CVE-2022-35919 Authenticated requests for server update admin API allows path traversal in minio
2022-08-01 00:00:00
CVE-2022-30634 Indefinite hang with large buffers on Windows in crypto/rand
2022-07-15 19:36:19
ibm
ibm
Security Bulletin: Vulnerabilities in Golang Go, PostgreSQL, jQuery, and Google Gson may affect IBM Spectrum Copy Data Management
2022-09-17 01:47:32
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go
2022-10-13 22:18:33
Security Bulletin: Vulnerabilities in Linux Kernel, OpenSSL, Golang Go, and Zlib may affect IBM Spectrum Protect Plus
2022-09-17 06:09:13
veracode
veracode
Denial Of Service (DoS)
2022-06-08 08:17:14
Path Traversal
2022-08-03 12:23:06
Path Traversal
2022-08-02 14:28:27
prion
prion
Design/Logic Flaw
2022-08-01 22:15:00
Design/Logic Flaw
2022-06-07 16:15:00
Spoofing
2022-07-15 20:15:00
cve
cve
CVE-2022-31028
2022-06-07 16:15:00
CVE-2022-35919
2022-08-01 22:15:00
CVE-2022-29804
2022-08-10 20:15:00
osv
osv
CVE-2022-31028
2022-06-07 16:15:07
BIT-minio-2022-31028
2024-03-06 10:57:16
CVE-2022-35919
2022-08-01 22:15:10
alpinelinux
alpinelinux
CVE-2022-35919
2022-08-01 22:15:00
CVE-2022-29804
2022-08-10 20:15:00
CVE-2022-30634
2022-07-15 20:15:00
packetstorm
packetstorm
Minio 2022-07-29T19-40-48Z Path Traversal
2023-10-10 00:00:00
zdt
zdt
Minio 2022-07-29T19-40-48Z - Path traversal Exploit
2023-10-09 00:00:00
ubuntucve
ubuntucve
CVE-2022-30634
2022-07-15 00:00:00
CVE-2022-29804
2022-08-10 00:00:00
CVE-2022-30580
2022-08-10 00:00:00
debiancve
debiancve
CVE-2022-29804
2022-08-10 20:15:00
CVE-2022-30634
2022-07-15 20:15:00
CVE-2022-30580
2022-08-10 20:15:00
cbl_mariner
cbl_mariner
CVE-2022-30580 affecting package golang 1.18.3-1
2022-09-17 05:56:44
CVE-2022-30580 affecting package golang for versions less than 1.18.5-1
2022-09-16 06:05:39
CVE-2022-30629 affecting package golang 1.18.3-1
2022-09-17 05:56:44
redhatcve
redhatcve
CVE-2022-30580
2022-08-16 09:38:32
CVE-2022-30629
2022-06-07 02:29:59
exploitdb
exploitdb
Minio 2022-07-29T19-40-48Z - Path traversal
2023-10-09 00:00:00
mageia
mageia
Updated golang packages fix security vulnerability
2022-06-17 00:05:59
redhat
redhat
(RHSA-2022:6535) Low: OpenShift Container Platform 4.11.5 packages and security update
2022-09-20 16:09:58
(RHSA-2022:6102) Low: OpenShift Container Platform 4.11.1 packages and security update
2022-08-23 14:38:33
(RHSA-2023:2282) Moderate: podman security and bug fix update
2023-05-09 05:05:41
photon
photon
Important Photon OS Security Update - PHSA-2022-0242
2022-09-07 00:00:00
Important Photon OS Security Update - PHSA-2022-4.0-0242
2022-09-07 00:00:00
Critical Photon OS Security Update - PHSA-2022-0512
2022-09-06 00:00:00
almalinux
almalinux
Moderate: podman security and bug fix update
2023-05-09 00:00:00
Moderate: buildah security and bug fix update
2023-05-09 00:00:00
Moderate: containernetworking-plugins security and bug fix update
2023-05-09 00:00:00
redos
redos
ROS-20240327-01
2024-03-27 00:00:00
amazon
amazon
Important: golang
2023-04-13 19:28:00
Important: golang
2023-04-13 19:01:00
fedora
fedora
[SECURITY] Fedora 36 Update: caddy-2.4.6-3.fc36
2022-07-13 02:00:08
[SECURITY] Fedora 36 Update: golang-github-kalafut-imohash-1.0.2-3.fc36
2022-07-13 02:00:10
[SECURITY] Fedora 36 Update: git-octopus-2.0-0.4.beta.3.fc36.12
2022-07-13 02:00:09

0.002 Low

EPSS

Percentile

64.5%

JSON
Related for 5847C6A43B9374608436806349F8DF60D26A6BD6AA1E53665DE28690D684C5FF
suse2nessus32openvas35altlinux2freebsd1oraclelinux6cvelist6ibm13veracode7prion6cve6osv20alpinelinux5packetstorm1zdt1ubuntucve4debiancve4cbl_mariner4redhatcve2exploitdb1mageia1redhat6photon5almalinux4redos1amazon2fedora22