RHSA-2025:3959
Vulnerability from csaf_redhat - Published: 2025-04-16 21:10 - Updated: 2026-03-19 01:26Summary
Red Hat Security Advisory: VolSync 0.11.2 security fixes and enhancements for RHEL 9
Severity
Important
Notes
Topic: VolSync v0.11.2 general availability release images, which provide
enhancements, security fixes, and updated container images.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Details: VolSync v0.11.2 is a Kubernetes operator that enables asynchronous replication
of persistent volumes within a cluster, or across clusters. After deploying
the VolSync operator, it can create and maintain copies of your persistent
data.
For more information about VolSync, see:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync
or the VolSync open source community website at:
https://volsync.readthedocs.io/en/stable/
This advisory contains enhancements and updates to the VolSync
container images.
Security fix(es):
* golang.org/x/oauth2: Unexpected memory consumption during token parsing in
golang.org/x/oauth2 (CVE-2025-22868)
* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of
golang.org/x/crypto/ssh (CVE-2025-22869)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
7.5 (High)
Vendor Fix
For more details, see the Red Hat Advanced Cluster Management for Kubernetes
documentation:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync
https://access.redhat.com/errata/RHSA-2025:3959
Workaround
To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.
7.5 (High)
Vendor Fix
For more details, see the Red Hat Advanced Cluster Management for Kubernetes
documentation:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync
https://access.redhat.com/errata/RHSA-2025:3959
Workaround
This flaw can be mitigated when using the client only connecting to trusted servers.
References
Acknowledgments
jub0bs
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "VolSync v0.11.2 general availability release images, which provide\nenhancements, security fixes, and updated container images.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "VolSync v0.11.2 is a Kubernetes operator that enables asynchronous replication\nof persistent volumes within a cluster, or across clusters. After deploying\nthe VolSync operator, it can create and maintain copies of your persistent\ndata.\n\nFor more information about VolSync, see:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync\n\nor the VolSync open source community website at:\nhttps://volsync.readthedocs.io/en/stable/\n\nThis advisory contains enhancements and updates to the VolSync\ncontainer images.\n\nSecurity fix(es):\n\n* golang.org/x/oauth2: Unexpected memory consumption during token parsing in\ngolang.org/x/oauth2 (CVE-2025-22868)\n* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of\ngolang.org/x/crypto/ssh (CVE-2025-22869)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:3959",
"url": "https://access.redhat.com/errata/RHSA-2025:3959"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "ACM-19031",
"url": "https://issues.redhat.com/browse/ACM-19031"
},
{
"category": "external",
"summary": "HYPBLD-618",
"url": "https://issues.redhat.com/browse/HYPBLD-618"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3959.json"
}
],
"title": "Red Hat Security Advisory: VolSync 0.11.2 security fixes and enhancements for RHEL 9",
"tracking": {
"current_release_date": "2026-03-19T01:26:37+00:00",
"generator": {
"date": "2026-03-19T01:26:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2025:3959",
"initial_release_date": "2025-04-16T21:10:52+00:00",
"revision_history": [
{
"date": "2025-04-16T21:10:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-04-16T21:10:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-19T01:26:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product": {
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:acm:2.12::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat ACM"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64",
"product_id": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.11.2-9"
}
}
},
{
"category": "product_version",
"name": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"product": {
"name": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"product_id": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-operator-bundle\u0026tag=v0.11.2-8"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"product_id": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.11.2-9"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"product_id": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.11.2-9"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"product_id": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.11.2-9"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64"
},
"product_reference": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"relates_to_product_reference": "9Base-RHACM-2.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"relates_to_product_reference": "9Base-RHACM-2.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"relates_to_product_reference": "9Base-RHACM-2.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64",
"relates_to_product_reference": "9Base-RHACM-2.12"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-16T21:10:52+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3959"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
"product_ids": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-22869",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-26T04:00:47.683125+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "RHBZ#2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://go.dev/cl/652135",
"url": "https://go.dev/cl/652135"
},
{
"category": "external",
"summary": "https://go.dev/issue/71931",
"url": "https://go.dev/issue/71931"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3487",
"url": "https://pkg.go.dev/vuln/GO-2025-3487"
}
],
"release_date": "2025-02-26T03:07:48.855000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-16T21:10:52+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3959"
},
{
"category": "workaround",
"details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
"product_ids": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…