RHSA-2024:1859: Moderate: OpenShift API for Data Protection (OADP) 1.3.1 security and bug fix update

The recent security and bug fix update for OpenShift API for Data Protection (OADP) version 1.3.1, designated as RHSA-2024:1859, addresses multiple vulnerabilities spanning across different versions and libraries utilized in the software. This update is crucial for maintaining the integrity, confidentiality, and availability of the data managed by OADP.

Critical Vulnerabilities Addressed:

  • CVE-2023-45142: This vulnerability in OpenTelemetry-Go Contrib could lead to memory exhaustion due to unfiltered HTTP methods and user agents, potentially allowing attackers to disrupt services. The update mitigates this by restricting attribute values and providing better default configurations.
  • CVE-2023-45287: Before Go 1.20, the RSA based TLS key exchanges used non-constant time operations, possibly exposing them to timing attacks. This has been rectified in Go 1.20 with a constant-time RSA implementation.
  • CVE-2023-39326: This issue pertains to the handling of HTTP chunk extensions that could cause excessive data reading, leading to potential denial of service. The newest update corrects how chunked encoding metadata is processed and limits the size ratio.
  • CVE-2023-48795: Known as the Terrapin attack, certain SSH transport protocols allow remote attackers to bypass integrity checks. The update includes enhanced sequence number handling and negotiation protocols to prevent downgraded connections.

This update is not merely a reaction to existing threats but a proactive measure to ensure the security resilience of networks using OADP. Organizations using OpenShift and its Data Protection API should prioritize this update to guard against both known and potential vulnerabilities.

For detailed installation and patch management instructions, visit linuxpatch.com. Ensuring your systems are up-to-date is critical to maintaining a secure operational environment.