Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2021:5086
HistoryDec 13, 2021 - 3:19 p.m.

(RHSA-2021:5086) Moderate: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update

2021-12-1315:19:23
access.redhat.com
31

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

79.9%

JSON

Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.

Security Fix(es):

  • kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 (CVE-2020-8565)

  • nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803)

  • nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804)

  • golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  • golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  • golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)

  • golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

  • nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)

  • nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information refer to the CVE
page(s) listed in the References section.

These updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:

https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.9/html/4.9_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to
these updated images, which provide numerous bug fixes and enhancements.

Related

redhat 22
mageia 2
nessus 39
amazon 1
ibm 26
freebsd 2
archlinux 1
osv 20
altlinux 3
suse 8
rocky 2
almalinux 3
hackerone 1
debian 2
prion 6
ubuntucve 7
debiancve 9
redhatcve 5
photon 2
nodejsblog 1
alpinelinux 6
cve 5
github 5
oraclelinux 2
gitlab 6
veracode 5
symantec 1
nodejs 4
cnvd 3
redhat
redhat
(RHSA-2021:5085) Moderate: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update
2021-12-13 15:18:58
(RHSA-2021:3009) Moderate: OpenShift Container Platform 4.6.42 security update
2021-08-12 00:25:04
(RHSA-2022:1329) Moderate: OpenShift Virtualization 4.8.5 RPMs security update
2022-04-12 14:54:57
mageia
mageia
Updated nodejs-tar packages fix security vulnerability
2022-03-21 23:18:30
Updated golang packages fix security vulnerabilities
2021-07-25 11:34:17
nessus
nessus
RHEL 8 : OpenShift Container Platform 4.6.42 (RHSA-2021:3009)
2021-08-16 00:00:00
EulerOS 2.0 SP9 : golang (EulerOS-SA-2021-2710)
2021-11-11 00:00:00
Amazon Linux AMI : golang (ALAS-2021-1527)
2021-09-09 00:00:00
amazon
amazon
Medium: golang
2021-09-02 22:54:00
ibm
ibm
Security Bulletin: Open Source Dependency Vulnerability
2023-05-15 18:33:20
Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities
2021-10-15 13:05:50
Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
2022-05-24 18:37:42
freebsd
freebsd
go -- multiple vulnerabilities
2021-05-01 00:00:00
Node.js -- August 2021 Security Releases (2)
2021-08-31 00:00:00
archlinux
archlinux
[ASA-202106-42] go: multiple issues
2021-06-15 00:00:00
osv
osv
Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
CVE-2021-32804
2021-08-03 19:15:08
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.16.5-alt1
2021-06-05 00:00:00
Security fix for the ALT Linux 9 package golang version 1.15.13-alt1
2021-06-07 00:00:00
Security fix for the ALT Linux 10 package node version 14.17.6-alt1
2021-09-01 00:00:00
suse
suse
Security update for go1.15 (important)
2021-07-01 00:00:00
Security update for go1.16 (important)
2021-06-28 00:00:00
Security update for go1.15 (important)
2021-06-30 00:00:00
rocky
rocky
go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
grafana security, bug fix, and enhancement update
2021-11-09 08:46:47
almalinux
almalinux
Moderate: go-toolset:rhel8 security, bug fix, and enhancement update
2021-11-09 08:25:49
Moderate: grafana security, bug fix, and enhancement update
2021-11-09 08:46:47
Moderate: buildah security and bug fix update
2022-11-15 00:00:00
hackerone
hackerone
Kubernetes: CVE-2019-11250 remains in effect.
2020-08-06 17:42:21
debian
debian
[SECURITY] [DSA 5008-1] node-tar security update
2021-11-11 21:57:59
[SECURITY] [DLA 3237-1] node-tar security update
2022-12-12 14:15:54
prion
prion
Design/Logic Flaw
2021-08-03 19:15:00
Design/Logic Flaw
2019-08-29 01:15:00
Remote code execution
2021-08-31 17:15:00
ubuntucve
ubuntucve
CVE-2021-32804
2021-08-03 00:00:00
CVE-2019-11250
2019-08-29 00:00:00
CVE-2021-37712
2021-08-31 00:00:00
debiancve
debiancve
CVE-2021-32804
2021-08-03 19:15:00
CVE-2019-11250
2019-08-29 01:15:00
CVE-2021-37712
2021-08-31 17:15:00
redhatcve
redhatcve
CVE-2020-8565
2020-10-16 00:02:11
CVE-2019-11250
2019-08-13 02:23:16
CVE-2021-37701
2021-08-31 17:10:03
photon
photon
Important Photon OS Security Update - PHSA-2021-0294
2021-09-02 00:00:00
Important Photon OS Security Update - PHSA-2021-3.0-0294
2021-09-02 00:00:00
nodejsblog
nodejsblog
August 31 2021 Security Releases
2021-08-31 00:00:00
alpinelinux
alpinelinux
CVE-2021-32804
2021-08-03 19:15:00
CVE-2021-37712
2021-08-31 17:15:00
CVE-2021-32803
2021-08-03 19:15:00
cve
cve
CVE-2021-32804
2021-08-03 19:15:00
CVE-2019-11250
2019-08-29 01:15:00
CVE-2021-37712
2021-08-31 17:15:00
github
github
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
2021-08-03 19:06:36
GitHub security update: Vulnerabilities in tar and @npmcli/arborist
2021-09-08 16:00:32
Kubernetes client-go library logs may disclose credentials to unauthorized users
2022-05-24 16:55:06
oraclelinux
oraclelinux
grafana security, bug fix, and enhancement update
2021-11-16 00:00:00
buildah security and bug fix update
2022-11-22 00:00:00
gitlab
gitlab
Credentials Management
2019-08-29 00:00:00
Insertion of Sensitive Information into Log File
2022-05-24 00:00:00
Insertion of Sensitive Information into Log File
2022-05-24 00:00:00
veracode
veracode
Information Disclosure
2019-08-14 02:24:54
Symlink Attack
2021-09-01 04:59:17
Privilege Escalation
2021-08-05 05:45:17
symantec
symantec
Kubernetes CVE-2019-11250 Information Disclosure Vulnerability
2019-08-13 00:00:00
nodejs
nodejs
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
2021-08-31 16:10:17
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
2021-08-03 18:14:17
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
2021-08-31 16:10:07
cnvd
cnvd
Google Golang has an unspecified vulnerability (CNVD-2022-02629)
2021-06-30 00:00:00
Google Golang has an unspecified vulnerability
2021-06-30 00:00:00
Google Golang Trust Management Issue Vulnerability
2021-07-19 00:00:00

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

79.9%

JSON
Related for RHSA-2021:5086
redhat22mageia2nessus39amazon1ibm26freebsd2archlinux1osv20altlinux3suse8rocky2almalinux3hackerone1debian2prion6ubuntucve7debiancve9redhatcve5photon2nodejsblog1alpinelinux6cve5github5oraclelinux2gitlab6veracode5symantec1nodejs4cnvd3