Moderate: OpenShift API for Data Protection (OADP) 1.1.0 security and bug fix update

Topic

OpenShift API for Data Protection (OADP) 1.1.0 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
• prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• OpenShift API for Data Protection 1 x86_64

Fixes

• BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
• BZ - 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
• BZ - 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
• BZ - 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
• BZ - 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• OADP-154 - Ensure support for backing up resources based on different label selectors
• OADP-199 - Enable support for restore of existing resources
• OADP-224 - Restore silently ignore resources if they exist - restore log not updated
• OADP-225 - Restore doesn't update velero.io/backup-name when a resource is updated
• OADP-234 - Implementation of incremental restore
• OADP-422 - [GCP] An attempt of snapshoting volumes on CSI storageclass using Velero-native snapshots fails because it's unable to find the zone
• OADP-423 - CSI Backup is not blocked and does not wait for snapshot to complete
• OADP-478 - volumesnapshotcontent cannot be deleted; SnapshotDeleteError Failed to delete snapshot
• OADP-528 - The volumesnapshotcontent is not removed for the synced backup
• OADP-533 - OADP Backup via Ceph CSI snapshot hangs indefinitely on OpenShift v4.10
• OADP-558 - Empty Failed Backup CRs can't be removed
• OADP-585 - OADP 1.0.3: CSI functionality is broken on OCP 4.11 due to missing v1beta1 API version
• OADP-586 - registry deployment still exists on 1.1 build, and the registry pod gets recreated endlessly
• OADP-597 - BSL validation logs
• OADP-538 - typo on noDefaultBackupLocation error on DPA CR
• OADP-607 - DataMover: VSB is stuck on SnapshotBackupDone
• OADP-600 - Operator should validate volsync installation and raise warning if data mover is enabled
• OADP-552 - Validate OADP with 4.11 and Pod Security Admissions
• OADP-637 - Restic backup fails with CA certificate
• OADP-599 - [Data Mover] Datamover Restic secret cannot be configured per bsl
• OADP-652 - Data mover VolSync pod errors with Noobaa
• OADP-598 - Data mover performance on backup blocks backup process
• OADP-648 - Remove default limits for velero and restic pods
• OADP-655 - DataMover: volsync-dst-vsr pod completes although not all items where restored in the namespace
• OADP-194 - Remove the registry dependency from OADP
• OADP-324 - Add label to Expired backups failing garbage collection
• OADP-613 - DataMover: upstream documentation refers wrong CRs
• OADP-592 - OADP must-gather add support for insecure tls
• OADP-602 - Support GCP for openshift-velero-plugin registry
• OADP-643 - [Data Mover] VSB and VSR names are not unique
• OADP-660 - Data mover restic secret does not support Azure
• OADP-145 - Restic Restore stuck on InProgress status when app is deployed with DeploymentConfig
• OADP-610 - Data mover fails if a stale volumesnapshot exists in application namespace
• OADP-605 - [OCP 4.11] CSI restore fails with admission webhook \"volumesnapshotclasses.snapshot.storage.k8s.io\" denied
• OADP-644 - VolumeSnapshotBackup and VolumeSnapshotRestore timeouts should be configurable
• OADP-698 - DataMover: volume-snapshot-mover pod points to upstream image
• OADP-382 - 1.1: Update downstream OLM channels to support different x and y-stream releases
• OADP-715 - Restic restore fails: restic-wait container continuously fails with "Not found: /restores/<pod-volume>/.velero/<restore-UID>"
• OADP-716 - Incremental restore: second restore of a namespace partially fails
• OADP-736 - Data mover VSB always fails with volsync 0.5

CVEs

• CVE-2021-3634
• CVE-2021-40528
• CVE-2022-1271
• CVE-2022-1292
• CVE-2022-1586
• CVE-2022-2068
• CVE-2022-2097
• CVE-2022-21698
• CVE-2022-24675
• CVE-2022-25313
• CVE-2022-25314
• CVE-2022-26691
• CVE-2022-28327
• CVE-2022-29154
• CVE-2022-29824
• CVE-2022-30629
• CVE-2022-30631
• CVE-2022-32206
• CVE-2022-32208

References

• https://access.redhat.com/security/updates/classification/#moderate