Bug 2101669 (CVE-2022-2238)

Summary: CVE-2022-2238 search-api: SQL injection leads to remote denial of service
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: btarraso, gparvin, jramanat, njean, pahickey, stcannon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the search-api container when a query in the search filter gets parsed by the backend. This flaw allows an attacker to craft specific strings containing special characters that lead to crashing the pod and affects system availability while restarting.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-03 03:33:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2101699, 2131387, 2131388, 2131390    
Bug Blocks: 2101670, 2101707, 2127433    

Description Avinash Hanwate 2022-06-28 05:41:11 UTC 
The flaw was found in search-api. The web interface allows input of malformed queries in the search filter which then gets parsed by the backend and this results in a prolonged remote denial of service.
Comment 2 errata-xmlrpc 2022-10-13 19:16:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6954 https://access.redhat.com/errata/RHSA-2022:6954
Comment 3 Borja Tarraso 2022-10-31 13:51:11 UTC 
*** Bug 2127870 has been marked as a duplicate of this bug. ***
Comment 4 errata-xmlrpc 2022-11-01 16:53:16 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:7276 https://access.redhat.com/errata/RHSA-2022:7276
Comment 5 errata-xmlrpc 2022-11-02 14:07:05 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:7313 https://access.redhat.com/errata/RHSA-2022:7313
Comment 6 Product Security DevOps Team 2022-12-03 03:33:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2238