RedHat: RHSA-2022-7435:01 Moderate: Logging Subsystem 5.4.8 - Red H...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.4.8 - Red Hat OpenShift security update
Advisory ID:       RHSA-2022:7435-01
Product:           Logging Subsystem for Red Hat OpenShift
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7435
Issue date:        2022-11-16
CVE Names:         CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 
                   CVE-2020-36518 CVE-2022-1304 CVE-2022-2509 
                   CVE-2022-3515 CVE-2022-22624 CVE-2022-22628 
                   CVE-2022-22629 CVE-2022-22662 CVE-2022-26700 
                   CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 
                   CVE-2022-26717 CVE-2022-26719 CVE-2022-30293 
                   CVE-2022-32149 CVE-2022-37434 CVE-2022-40674 
                   CVE-2022-42003 CVE-2022-42004 
=====================================================================

1. Summary:

An update is now available for Logging subsystem for Red Hat OpenShift 5.4.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.4.8 - Red Hat OpenShift

Security Fix(es):

* jackson-databind: denial of service via a large depth of nested objects
(CVE-2020-36518)

* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time
to parse complex tags (CVE-2022-32149)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,
which will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.4, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3250 - [release-5.4] FluentdQueueLengthIncreasing rule failing to be evaluated.
LOG-3252 - [release-5.4]Adding Valid Subscription Annotation

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-32149
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-40674
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3UyMNzjgjWX9erEAQg5+RAAkm8TmJORpWLNz5DFLbUuSBMSqz0mWFW4
X6HT6zV/ot4v2oNB+dtdBSQYTv2ry4nhpHwiV15bkBt3aKgXnM+Sw6cfJFnNHEl4
BUYm8NLanbl8OnaQEZeQQqKmuSVVKDPx0BgfC0twDhMp63fzDYBOSmQSevnm5VzN
98Bb2y0XEIsyqnG66THD3rZDV1KqCkYA+VpYnBflUGmUdEowShiCpFoUTH2RF4gz
9YU5N6rp1FYqQx6Kb5B6Q+kMduf5Q3pFozXpo8Xr7q2zxG7+0Ak6FvQSaKuU8NZZ
nCcE20+2wKQ6Dnp+o73wnRo/7EE+Ea7lP07eInz2dEMAZGs9A0KCDk0onDBIrUfv
twvlhRvVvKBiUILaEslSrNN8jX5dykpYbzMX87nrcti6GhnW/sJL08bJY0+Q7Y3k
7pV6enwUaJUlmkmRSx2LExqtYaI0zEgyoA96SuTTcxgafBKb68buXie2qEeoPEKS
TnkWJtpJqzZ3uQ9rkQGeiW198lkAwPGf+zz9jrTqPMdsPPseUP6hH1bh6nK5em54
4ULJ0J+C3310SHCQtkxwjNvxIaYpWh8GRIqF3ty+5D7j4iC2LRdKCYcJHZ3nsw9t
5ahXG9gIzdUELejnjaxf03OeeZ/+r1G5KWPf+USWfBkisD5eO/z5CDaJJCR38NvO
8qnp7x3na/g=
=k+FZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-7435:01 Moderate: Logging Subsystem 5.4.8 - Red Hat

An update is now available for Logging subsystem for Red Hat OpenShift 5.4

Summary

Logging Subsystem 5.4.8 - Red Hat OpenShift
Security Fix(es):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.10 see the following documentation,which will be updated shortly, for detailed release notes:https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-release-notes.htmlFor Red Hat OpenShift Logging 5.4, see the following instructions to applythis update:https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-upgrading.html

References

https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2020-35525 https://access.redhat.com/security/cve/CVE-2020-35527 https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-32149 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-40674 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:7435-01
Product: Logging Subsystem for Red Hat OpenShift
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7435
Issued Date: : 2022-11-16
CVE Names: CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 CVE-2020-36518 CVE-2022-1304 CVE-2022-2509 CVE-2022-3515 CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-30293 CVE-2022-32149 CVE-2022-37434 CVE-2022-40674 CVE-2022-42003 CVE-2022-42004

Topic

An update is now available for Logging subsystem for Red Hat OpenShift 5.4.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3250 - [release-5.4] FluentdQueueLengthIncreasing rule failing to be evaluated.

LOG-3252 - [release-5.4]Adding Valid Subscription Annotation

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.