Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.0
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-41190 CVE-2021-29482 CVE-2021-3521 CVE-2021-4122 |
| CWE-ID | CWE-843 CWE-835 CWE-347 CWE-345 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
OpenShift API for Data Protection (OADP) Web applications / Modules and components for CMS |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Type Confusion
EUVDB-ID: #VU58229
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-41190
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to a type confusion error. A remote authenticated attacker can pass specially crafted data to the application, trigger a type confusion error and interpret the resulting content differently.
MitigationInstall updates from vendor's website.
OpenShift API for Data Protection (OADP): before 1.0.1
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2022:0687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Infinite loop
EUVDB-ID: #VU87849
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-29482
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due the function readUvarint used to read the xz container format may not terminate a loop providing malicious input. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall updates from vendor's website.
OpenShift API for Data Protection (OADP): before 1.0.1
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2022:0687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU59993
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-3521
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an error in RPM's signature functionality, as RPM does not check the binding signature of subkeys before importing them. A remote attacker with ability to add malicious subkey to a legitimate public key can run malicious code on the system.
Install updates from vendor's website.
OpenShift API for Data Protection (OADP): before 1.0.1
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2022:0687
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Insufficient verification of data authenticity
EUVDB-ID: #VU63770
Risk: Medium
CVSSv4.0: 3.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-4122
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to improper handling of the LUKS2 reencryption recover. A local attacker with physical access to the medium can send a specially crafted LUKS header and trick cryptsetup into disabling encryption during the recovery of the device.
Install updates from vendor's website.
OpenShift API for Data Protection (OADP): before 1.0.1
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2022:0687
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
