Security Bulletin: Vulnerabilities in Golang Go and MinIO may affect IBM Spectrum Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30634, CVE-2022-35919, CVE-2022-31028)

Vulnerability Details

CVEID:   CVE-2022-29804
DESCRIPTION:   Golang Go could allow a local attacker to bypass security restrictions, caused by a flaw in the filepath.Clean function. By sending a specially-crafted request, an attacker could exploit this vulnerability to convert an invalid path to a valid, absolute path.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229857 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2022-30580
DESCRIPTION:   Golang Go could allow a local attacker to execute arbitrary code on the system, caused by a flaw when Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229858 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-30629
DESCRIPTION:   Golang Go could allow a remote attacker to obtain sensitive information, caused by an issue with session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. By comparing ticket ages during session resumption, an attacker could exploit this vulnerability to observe TLS handshakes information to correlate successive connections.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2022-30634
DESCRIPTION:   Golang Go is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request using large buffers, a remote attacker could exploit this vulnerability to cause rand.Read to hang,a and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229860 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-35919
DESCRIPTION:   MinIO could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user requests by the ServerUpdate API. An attacker could send a specially-crafted request to selectively trigger an error using the admin:ServerUpdate action and view arbitrary files that are readable by the MinIO process on the system.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232582 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)

CVEID:   CVE-2022-31028
DESCRIPTION:   MinIO is vulnerable to a denial of service, caused by an issue with an unending go-routine buildup while keeping connections established. By sending a specially-crafted request using anonymous HTTP clients, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)