Red Hat 5.5: RHSA-2022:6051-01 Critical: Logging Subsystem Security Issues
red hat
August 18, 2022
An update is now available for RHOL-5.5-RHEL-8
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Logging Subsystem 5.5.0 - Red Hat OpenShift
Security Fix(es):
* kubeclient: kubeconfig parsing error can lead to MITM attacks
(CVE-2022-0759)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)
* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
References
https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2022-0759 https://access.redhat.com/security/cve/CVE-2022-1012 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32250 https://access.redhat.com/security/updates/classification#important
Package List
PREVIOUS 
NEXT Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2022:6051-01
Product: RHOL
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6051
Issue date: 2022-08-18
Topic
An update is now available for RHOL-5.5-RHEL-8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Bugs Fixed
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):
LOG-1415 - Allow users to tune fluentd
LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `
LOG-1713 - Reduce Permissions granted for prometheus-k8s service account
LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created.
LOG-2134 - The infra logs are sent to app-xx indices
LOG-2159 - Cluster Logging Pods in CrashLoopBackOff
LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages.
LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL
LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext.
LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not be collected.
LOG-2242 - Log file metric exporter is still following /var/log/containers files.
LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!