Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

RedHat OpenShift 5.3: RHSA-2021-5129 Moderate Logging Security Update

red hat
Calendar Grey December 14, 2021
Dist Redhat Esm H88
Revision for OpenShift Logging classified as Moderate. Security enhancements and bug resolutions boost system reliability and performance.
An update is now available for OpenShift Logging 5.3

Solution

For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:

https://docs.redhat.com/en/documentation/openshift_container_platform/4.9/html/release_notes/ocp-4-9-release-notes

For Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:

https://docs.redhat.com/en/documentation/openshift_container_platform/4.9/html/logging/cluster-logging-upgrading

Summary

Openshift Logging Security and Bug Fix Release (5.3.1)
Security Fix(es):
* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory moderate security update logging Red Hat OpenShift

References

https://access.redhat.com/security/cve/CVE-2018-25009 https://access.redhat.com/security/cve/CVE-2018-25010 https://access.redhat.com/security/cve/CVE-2018-25012 https://access.redhat.com/security/cve/CVE-2018-25013 https://access.redhat.com/security/cve/CVE-2018-25014 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14145 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2020-17541 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-35521 https://access.redhat.com/security/cve/CVE-2020-35522 https://access.redhat.com/security/cve/CVE-2020-35523 Read the Full Advisory

Package List


Advisory ID: RHSA-2021:5129-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:5129
Issue date: 2021-12-14

Topic

An update is now available for OpenShift Logging 5.3.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory moderate security update logging Red Hat OpenShift

Relevant Releases Architectures

Bugs Fixed

1944888 - CVE-2021-21409 netty: Request smuggling via content-length header

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data

2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way

2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-1897 - Applying cluster state is causing elasticsearch to hit an issue and become unusable

LOG-1925 - [release-5.3] No datapoint for CPU on openshift-logging dashboard

LOG-1962 - [release-5.3] CLO panic: runtime error: slice bounds out of range [:-1]

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here