RHSA-2025:3172
Vulnerability from csaf_redhat - Published: 2025-03-25 19:58 - Updated: 2026-04-12 08:01Summary
Red Hat Security Advisory: VolSync 0.12.1 security fixes and enhancements for RHEL 9
Severity
Important
Notes
Topic: VolSync v0.12 general availability release images, which provide
enhancements, security fixes, and updated container images.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Details: VolSync v0.12.1 is a Kubernetes operator that enables asynchronous
replication of persistent volumes within a cluster, or across clusters. After
deploying the VolSync operator, it can create and maintain copies of your
persistent data.
For more information about VolSync, see:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync
or the VolSync open source community website at:
https://volsync.readthedocs.io/en/stable/
This advisory contains enhancements and updates to the VolSync
container images.
Security fix(es):
* golang.org/x/oauth2: Unexpected memory consumption during token parsing in
golang.org/x/oauth2 (CVE-2025-22868)
* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of
golang.org/x/crypto/ssh (CVE-2025-22869)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
7.5 (High)
Vendor Fix
For more details, see the Red Hat Advanced Cluster Management for Kubernetes
documentation:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync
https://access.redhat.com/errata/RHSA-2025:3172
Workaround
To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.
7.5 (High)
Vendor Fix
For more details, see the Red Hat Advanced Cluster Management for Kubernetes
documentation:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync
https://access.redhat.com/errata/RHSA-2025:3172
Workaround
This flaw can be mitigated when using the client only connecting to trusted servers.
References
Acknowledgments
jub0bs
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "VolSync v0.12 general availability release images, which provide\nenhancements, security fixes, and updated container images.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "VolSync v0.12.1 is a Kubernetes operator that enables asynchronous\nreplication of persistent volumes within a cluster, or across clusters. After\ndeploying the VolSync operator, it can create and maintain copies of your\npersistent data.\n\nFor more information about VolSync, see:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync\n\nor the VolSync open source community website at:\nhttps://volsync.readthedocs.io/en/stable/\n\nThis advisory contains enhancements and updates to the VolSync\ncontainer images.\n\nSecurity fix(es):\n\n* golang.org/x/oauth2: Unexpected memory consumption during token parsing in\ngolang.org/x/oauth2 (CVE-2025-22868)\n* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of\ngolang.org/x/crypto/ssh (CVE-2025-22869)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:3172",
"url": "https://access.redhat.com/errata/RHSA-2025:3172"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "ACM-19030",
"url": "https://issues.redhat.com/browse/ACM-19030"
},
{
"category": "external",
"summary": "HYPBLD-617",
"url": "https://issues.redhat.com/browse/HYPBLD-617"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3172.json"
}
],
"title": "Red Hat Security Advisory: VolSync 0.12.1 security fixes and enhancements for RHEL 9",
"tracking": {
"current_release_date": "2026-04-12T08:01:23+00:00",
"generator": {
"date": "2026-04-12T08:01:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2025:3172",
"initial_release_date": "2025-03-25T19:58:29+00:00",
"revision_history": [
{
"date": "2025-03-25T19:58:29+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-25T19:58:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-12T08:01:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product": {
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:acm:2.13::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat ACM"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
"product_id": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"product": {
"name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"product_id": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-operator-bundle\u0026tag=v0.12.1-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"product_id": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"product_id": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"product_id": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64"
},
"product_reference": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-25T19:58:29+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3172"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-22869",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-26T04:00:47.683125+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "RHBZ#2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://go.dev/cl/652135",
"url": "https://go.dev/cl/652135"
},
{
"category": "external",
"summary": "https://go.dev/issue/71931",
"url": "https://go.dev/issue/71931"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3487",
"url": "https://pkg.go.dev/vuln/GO-2025-3487"
}
],
"release_date": "2025-02-26T03:07:48.855000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-25T19:58:29+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3172"
},
{
"category": "workaround",
"details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…