rhsa-2025_3051
Vulnerability from csaf_redhat
Published
2025-03-20 04:38
Modified
2025-03-27 16:22
Summary
Red Hat Security Advisory: Gatekeeper v3.17.2
Notes
Topic
Gatekeeper v3.17.2
Details
Gatekeeper v3.17.2
Gatekeeper is a validating webhook with auditing capabilities that can
enforce custom resource definition-based policies that are run with the
Open Policy Agent (OPA). Gatekeeper is supported through a Red Hat Advanced
Cluster Management for Kubernetes subscription.
Starting in v3.17, users can specify a `containerArguments` list of names
and values for both the audit and webhook configurations to be passed to
the respective deployment. These will be ignored if the argument has
already been set by the operator or specifies an argument listed in the
deny list.
Starting in v3.15, the following namespaces are exempt from admission
control:
* kube-*
* multicluster-engine
* hypershift
* hive
* rhacs-operator
* open-cluster-*
* openshift-*
To disable the default exempt namespaces, set the namespaces you want on
the object.
Security fix(es):
* golang.org/x/oauth2: Unexpected memory consumption during token parsing in
golang.org/x/oauth2 (CVE-2025-22868)
* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of
golang.org/x/crypto/ssh (CVE-2025-22869)
Additional Release Notes:
* v3.17.0 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.0
* v3.17.1 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.1
* v3.17.2 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.2
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Gatekeeper v3.17.2",
"title": "Topic"
},
{
"category": "general",
"text": "Gatekeeper v3.17.2\n\nGatekeeper is a validating webhook with auditing capabilities that can\nenforce custom resource definition-based policies that are run with the\nOpen Policy Agent (OPA). Gatekeeper is supported through a Red Hat Advanced\nCluster Management for Kubernetes subscription.\n\nStarting in v3.17, users can specify a `containerArguments` list of names\nand values for both the audit and webhook configurations to be passed to\nthe respective deployment. These will be ignored if the argument has\nalready been set by the operator or specifies an argument listed in the\ndeny list.\n\nStarting in v3.15, the following namespaces are exempt from admission\ncontrol:\n\n* kube-*\n* multicluster-engine\n* hypershift\n* hive\n* rhacs-operator\n* open-cluster-*\n* openshift-*\n\nTo disable the default exempt namespaces, set the namespaces you want on\nthe object.\n\nSecurity fix(es):\n\n* golang.org/x/oauth2: Unexpected memory consumption during token parsing in\ngolang.org/x/oauth2 (CVE-2025-22868)\n* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of\ngolang.org/x/crypto/ssh (CVE-2025-22869)\n\nAdditional Release Notes:\n\n* v3.17.0 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.0\n* v3.17.1 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.1\n* v3.17.2 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.2",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:3051",
"url": "https://access.redhat.com/errata/RHSA-2025:3051"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.0",
"url": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.0"
},
{
"category": "external",
"summary": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.1",
"url": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.1"
},
{
"category": "external",
"summary": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.2",
"url": "https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.17.2"
},
{
"category": "external",
"summary": "2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "ACM-18302",
"url": "https://issues.redhat.com/browse/ACM-18302"
},
{
"category": "external",
"summary": "ACM-18535",
"url": "https://issues.redhat.com/browse/ACM-18535"
},
{
"category": "external",
"summary": "HYPBLD-605",
"url": "https://issues.redhat.com/browse/HYPBLD-605"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3051.json"
}
],
"title": "Red Hat Security Advisory: Gatekeeper v3.17.2",
"tracking": {
"current_release_date": "2025-03-27T16:22:40+00:00",
"generator": {
"date": "2025-03-27T16:22:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.2"
}
},
"id": "RHSA-2025:3051",
"initial_release_date": "2025-03-20T04:38:00+00:00",
"revision_history": [
{
"date": "2025-03-20T04:38:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-20T04:38:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-27T16:22:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "gatekeeper 3.17 for RHEL 9",
"product": {
"name": "gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:gatekeeper:3.17::el9"
}
}
}
],
"category": "product_family",
"name": "gatekeeper"
},
{
"branches": [
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"product": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"product_id": "gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e?arch=s390x\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9\u0026tag=v3.17.2-5"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"product": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"product_id": "gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8?arch=s390x\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9-operator\u0026tag=v3.17.2-4"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64",
"product": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64",
"product_id": "gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99?arch=arm64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9\u0026tag=v3.17.2-5"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"product": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"product_id": "gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32?arch=arm64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9-operator\u0026tag=v3.17.2-4"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"product": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"product_id": "gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca?arch=ppc64le\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9\u0026tag=v3.17.2-5"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"product": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"product_id": "gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d?arch=ppc64le\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9-operator\u0026tag=v3.17.2-4"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"product": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"product_id": "gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e?arch=amd64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9\u0026tag=v3.17.2-5"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"product": {
"name": "gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"product_id": "gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb?arch=amd64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-operator-bundle\u0026tag=v3.17.2-2"
}
}
},
{
"category": "product_version",
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"product": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"product_id": "gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95?arch=amd64\u0026repository_url=registry.redhat.io/gatekeeper/gatekeeper-rhel9-operator\u0026tag=v3.17.2-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64 as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64"
},
"product_reference": "gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64 as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64"
},
"product_reference": "gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le"
},
"product_reference": "gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64 as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64"
},
"product_reference": "gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x"
},
"product_reference": "gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64 as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64"
},
"product_reference": "gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le"
},
"product_reference": "gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x"
},
"product_reference": "gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64 as a component of gatekeeper 3.17 for RHEL 9",
"product_id": "9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
},
"product_reference": "gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64",
"relates_to_product_reference": "9Base-gatekeeper-3.17"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang.org/x/oauth2/jws package in the token parsing component. This vulnerability allows an attacker to cause excessive memory consumption via a malicious malformed token.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-20T04:38:00+00:00",
"details": "For more information, see the following resources:\n\n* See the Gatekeeper\ndocumentation: https://open-policy-agent.github.io/gatekeeper/website/docs/.\n\n* For support and troubleshooting, Gatekeeper is supported through a Red Hat Advanced Cluster Management for\nKubernetes subscription:\nhttps://access.redhat.com/products/red-hat-advanced-cluster-management-for-kubernetes.\n\n* The Open Policy Agent Gatekeeper community collaborates on Slack. Join the \n#opa-gatekeeper channel: https://openpolicyagent.slack.com/archives/CDTN970AX.\n\n* Open issues on the Gatekeeper GitHub repository: https://github.com/open-policy-agent/gatekeeper/issues.\n\n* See the installation and upgrade documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/install.",
"product_ids": [
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3051"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-22869",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-26T04:00:47.683125+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "RHBZ#2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://go.dev/cl/652135",
"url": "https://go.dev/cl/652135"
},
{
"category": "external",
"summary": "https://go.dev/issue/71931",
"url": "https://go.dev/issue/71931"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3487",
"url": "https://pkg.go.dev/vuln/GO-2025-3487"
}
],
"release_date": "2025-02-26T03:07:48.855000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-20T04:38:00+00:00",
"details": "For more information, see the following resources:\n\n* See the Gatekeeper\ndocumentation: https://open-policy-agent.github.io/gatekeeper/website/docs/.\n\n* For support and troubleshooting, Gatekeeper is supported through a Red Hat Advanced Cluster Management for\nKubernetes subscription:\nhttps://access.redhat.com/products/red-hat-advanced-cluster-management-for-kubernetes.\n\n* The Open Policy Agent Gatekeeper community collaborates on Slack. Join the \n#opa-gatekeeper channel: https://openpolicyagent.slack.com/archives/CDTN970AX.\n\n* Open issues on the Gatekeeper GitHub repository: https://github.com/open-policy-agent/gatekeeper/issues.\n\n* See the installation and upgrade documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/install.",
"product_ids": [
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3051"
},
{
"category": "workaround",
"details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
"product_ids": [
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-operator-bundle@sha256:d96ab7824a0f334b595ec7034ce417ee81976d5617ce72fb693ad724483833fb_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:6cd467648f4101fa9ff4b6a497aaa2e76f2ff2c0021cfed5541aa7ffdeb4bc32_arm64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:825f94692807a950ed30efb98c5e05b6c3dd2ff2a4dd062cfe4ec276091f613d_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:8680d198102e84c2b69723f358560ecf684a7d55ca28537c2a3db2179454bc95_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9-operator@sha256:bf9faf7bf7730eaa2e95056b3082198e797a69bcec8122d54723f6216f34a0c8_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:859cd273784a7553ec14754b726961376e0fd153d9e45f67dd38a5f6e35ae35e_amd64",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:c5b1e6d081e1e79c2de7865aa99467b6a2e683735222fdb8f460771798ed7bca_ppc64le",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:ca290a799cd15897e62314cea4603653a1da7aa935db51640409b00e8361707e_s390x",
"9Base-gatekeeper-3.17:gatekeeper/gatekeeper-rhel9@sha256:f5d43f372597923ae1c363887da9accb50de207869d829ec09212db06cf3ac99_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.