rhsa-2025_3172
Vulnerability from csaf_redhat
Published
2025-03-25 19:58
Modified
2025-03-27 16:22
Summary
Red Hat Security Advisory: VolSync 0.12.1 security fixes and enhancements for RHEL 9

Notes

Topic
VolSync v0.12 general availability release images, which provide enhancements, security fixes, and updated container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.
Details
VolSync v0.12.1 is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying the VolSync operator, it can create and maintain copies of your persistent data. For more information about VolSync, see: https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync or the VolSync open source community website at: https://volsync.readthedocs.io/en/stable/ This advisory contains enhancements and updates to the VolSync container images. Security fix(es): * golang.org/x/oauth2: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (CVE-2025-22868) * golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "VolSync v0.12 general availability release images, which provide\nenhancements, security fixes, and updated container images.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "VolSync v0.12.1 is a Kubernetes operator that enables asynchronous\nreplication of persistent volumes within a cluster, or across clusters. After\ndeploying the VolSync operator, it can create and maintain copies of your\npersistent data.\n\nFor more information about VolSync, see:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync\n\nor the VolSync open source community website at:\nhttps://volsync.readthedocs.io/en/stable/\n\nThis advisory contains enhancements and updates to the VolSync\ncontainer images.\n\nSecurity fix(es):\n\n* golang.org/x/oauth2: Unexpected memory consumption during token parsing in\ngolang.org/x/oauth2 (CVE-2025-22868)\n* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of\ngolang.org/x/crypto/ssh (CVE-2025-22869)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:3172",
        "url": "https://access.redhat.com/errata/RHSA-2025:3172"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2348366",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
      },
      {
        "category": "external",
        "summary": "2348367",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
      },
      {
        "category": "external",
        "summary": "ACM-19030",
        "url": "https://issues.redhat.com/browse/ACM-19030"
      },
      {
        "category": "external",
        "summary": "HYPBLD-617",
        "url": "https://issues.redhat.com/browse/HYPBLD-617"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3172.json"
      }
    ],
    "title": "Red Hat Security Advisory: VolSync 0.12.1 security fixes and enhancements for RHEL 9",
    "tracking": {
      "current_release_date": "2025-03-27T16:22:52+00:00",
      "generator": {
        "date": "2025-03-27T16:22:52+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.4.2"
        }
      },
      "id": "RHSA-2025:3172",
      "initial_release_date": "2025-03-25T19:58:29+00:00",
      "revision_history": [
        {
          "date": "2025-03-25T19:58:29+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-03-25T19:58:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-03-27T16:22:52+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
                "product": {
                  "name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
                  "product_id": "9Base-RHACM-2.13",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:acm:2.13::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat ACM"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
                "product": {
                  "name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
                  "product_id": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
                "product": {
                  "name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
                  "product_id": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-operator-bundle\u0026tag=v0.12.1-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
                "product": {
                  "name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
                  "product_id": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
                "product": {
                  "name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
                  "product_id": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
                "product": {
                  "name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
                  "product_id": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
          "product_id": "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64"
        },
        "product_reference": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
        "relates_to_product_reference": "9Base-RHACM-2.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
          "product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64"
        },
        "product_reference": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
        "relates_to_product_reference": "9Base-RHACM-2.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
          "product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x"
        },
        "product_reference": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
        "relates_to_product_reference": "9Base-RHACM-2.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
          "product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le"
        },
        "product_reference": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
        "relates_to_product_reference": "9Base-RHACM-2.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
          "product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
        },
        "product_reference": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
        "relates_to_product_reference": "9Base-RHACM-2.13"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "jub0bs"
          ]
        }
      ],
      "cve": "CVE-2025-22868",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "discovery_date": "2025-02-26T04:00:44.350024+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2348366"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang.org/x/oauth2/jws package in the token parsing component. This vulnerability allows an attacker to cause excessive memory consumption via a malicious malformed token.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
          "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
          "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
          "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
          "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "RHBZ#2348366",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/652155",
          "url": "https://go.dev/cl/652155"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/71490",
          "url": "https://go.dev/issue/71490"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3488",
          "url": "https://pkg.go.dev/vuln/GO-2025-3488"
        }
      ],
      "release_date": "2025-02-26T03:07:49.012000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-25T19:58:29+00:00",
          "details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
          "product_ids": [
            "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3172"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
    },
    {
      "cve": "CVE-2025-22869",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-02-26T04:00:47.683125+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2348367"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
          "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
          "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
          "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
          "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22869"
        },
        {
          "category": "external",
          "summary": "RHBZ#2348367",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/652135",
          "url": "https://go.dev/cl/652135"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/71931",
          "url": "https://go.dev/issue/71931"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3487",
          "url": "https://pkg.go.dev/vuln/GO-2025-3487"
        }
      ],
      "release_date": "2025-02-26T03:07:48.855000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-25T19:58:29+00:00",
          "details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
          "product_ids": [
            "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3172"
        },
        {
          "category": "workaround",
          "details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
          "product_ids": [
            "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
            "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.