RedHat: RHSA-2022-8889:01 Moderate: Openshift Logging 5.3.14 bug fi...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Openshift Logging 5.3.14 bug fix release and security update
Advisory ID:       RHSA-2022:8889-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8889
Issue date:        2022-12-08
CVE Names:         CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 
                   CVE-2020-36516 CVE-2020-36518 CVE-2020-36558 
                   CVE-2021-3640 CVE-2021-30002 CVE-2022-0168 
                   CVE-2022-0561 CVE-2022-0562 CVE-2022-0617 
                   CVE-2022-0854 CVE-2022-0865 CVE-2022-0891 
                   CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 
                   CVE-2022-1016 CVE-2022-1048 CVE-2022-1055 
                   CVE-2022-1184 CVE-2022-1292 CVE-2022-1304 
                   CVE-2022-1355 CVE-2022-1586 CVE-2022-1785 
                   CVE-2022-1852 CVE-2022-1897 CVE-2022-1927 
                   CVE-2022-2068 CVE-2022-2078 CVE-2022-2097 
                   CVE-2022-2509 CVE-2022-2586 CVE-2022-2639 
                   CVE-2022-2938 CVE-2022-3515 CVE-2022-20368 
                   CVE-2022-21499 CVE-2022-21618 CVE-2022-21619 
                   CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 
                   CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 
                   CVE-2022-22662 CVE-2022-22844 CVE-2022-23960 
                   CVE-2022-24448 CVE-2022-25255 CVE-2022-26373 
                   CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 
                   CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 
                   CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 
                   CVE-2022-27950 CVE-2022-28390 CVE-2022-28893 
                   CVE-2022-29581 CVE-2022-30293 CVE-2022-34903 
                   CVE-2022-36946 CVE-2022-37434 CVE-2022-39399 
                   CVE-2022-42003 CVE-2022-42004 CVE-2022-42898 
=====================================================================

1. Summary:

Openshift Logging Bug Fix Release (5.3.14)

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Openshift Logging Bug Fix Release (5.3.14)

Security Fixe(s):

* jackson-databind: denial of service via a large depth of nested
objects (CVE-2020-36518)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which
will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.3, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3293 - log-file-metric-exporter container has not limits exhausting the resources of the node

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2020-36516
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2020-36558
https://access.redhat.com/security/cve/CVE-2021-3640
https://access.redhat.com/security/cve/CVE-2021-30002
https://access.redhat.com/security/cve/CVE-2022-0168
https://access.redhat.com/security/cve/CVE-2022-0561
https://access.redhat.com/security/cve/CVE-2022-0562
https://access.redhat.com/security/cve/CVE-2022-0617
https://access.redhat.com/security/cve/CVE-2022-0854
https://access.redhat.com/security/cve/CVE-2022-0865
https://access.redhat.com/security/cve/CVE-2022-0891
https://access.redhat.com/security/cve/CVE-2022-0908
https://access.redhat.com/security/cve/CVE-2022-0909
https://access.redhat.com/security/cve/CVE-2022-0924
https://access.redhat.com/security/cve/CVE-2022-1016
https://access.redhat.com/security/cve/CVE-2022-1048
https://access.redhat.com/security/cve/CVE-2022-1055
https://access.redhat.com/security/cve/CVE-2022-1184
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1355
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1852
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2078
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-2586
https://access.redhat.com/security/cve/CVE-2022-2639
https://access.redhat.com/security/cve/CVE-2022-2938
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-20368
https://access.redhat.com/security/cve/CVE-2022-21499
https://access.redhat.com/security/cve/CVE-2022-21618
https://access.redhat.com/security/cve/CVE-2022-21619
https://access.redhat.com/security/cve/CVE-2022-21624
https://access.redhat.com/security/cve/CVE-2022-21626
https://access.redhat.com/security/cve/CVE-2022-21628
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-22844
https://access.redhat.com/security/cve/CVE-2022-23960
https://access.redhat.com/security/cve/CVE-2022-24448
https://access.redhat.com/security/cve/CVE-2022-25255
https://access.redhat.com/security/cve/CVE-2022-26373
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27404
https://access.redhat.com/security/cve/CVE-2022-27405
https://access.redhat.com/security/cve/CVE-2022-27406
https://access.redhat.com/security/cve/CVE-2022-27950
https://access.redhat.com/security/cve/CVE-2022-28390
https://access.redhat.com/security/cve/CVE-2022-28893
https://access.redhat.com/security/cve/CVE-2022-29581
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-34903
https://access.redhat.com/security/cve/CVE-2022-36946
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-39399
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY5Jma9zjgjWX9erEAQh83xAAj1mTs7t69xXYjstib3b10ZSQFlaK8ZHu
U1CEqRryyTwdLZJUBNnXcFV7S+tGPIthAzg3RCn0Tun45Kj/v296A2AF8DoKPRmu
LZUUi6c5K0vFLTG2zbO0Gxy0rOcxwHmq9QLsQii3AylhXH9BOlJC+VeeaLdJXmd3
7Zwg2Y2opzSYPph1yc/9yf24ln6thgSmFU7lsY60EiPN9GGPXTFKnTbWDNrfRCvy
LJTOYISYm8miRC3TsQ/Nt31an3uSE5e6x4aVEXM12TvZTRL4GCcxbBWK3VSScbg8
T7C98yEWNEwouXMNoQr9MGxPwgmUZ8WsgmzYMWOdKABPk5wcQPqC9pfLtamI+AOM
TZQUy3TfdTxo79Tkhd5QVOnM0WD/3VWtv/OXTcObhacyifzk3kdr5W8D9PqwMp67
4OiyX+bZlZAXKkLuD2IAeNsqP6wafFGPw79IGRSd5ggNRFIj9gJECxxHc+tvQR7F
m6zIWSkjacYUfI8KEI8729qGxwGhqPHHcBS2nAm5pnxXt/3/07BkagQl+5cYW8rS
3rTwx93v6U6F1e7H3FzpucrVDNHK406j3qhKBKHHDr12IPL8Q47dJuTFK9LxhKD8
dGEbNbW23wEkGFjh9BKnac10mPx7uBhQBVmfIrpkgBQhUA6lY7+elso2pVt/FLYw
ouxkTmp3LIQ=
=PYNA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-8889:01 Moderate: Openshift Logging 5.3.14 bug fix

Openshift Logging Bug Fix Release (5.3.14) Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Openshift Logging Bug Fix Release (5.3.14)
Security Fixe(s):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.9 see the following documentation, whichwill be updated shortly, for detailed release notes:https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.htmlFor Red Hat OpenShift Logging 5.3, see the following instructions to applythis update:https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html

References

https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2020-35525 https://access.redhat.com/security/cve/CVE-2020-35527 https://access.redhat.com/security/cve/CVE-2020-36516 https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2020-36558 https://access.redhat.com/security/cve/CVE-2021-3640 https://access.redhat.com/security/cve/CVE-2021-30002 https://access.redhat.com/security/cve/CVE-2022-0168 https://access.redhat.com/security/cve/CVE-2022-0561 https://access.redhat.com/security/cve/CVE-2022-0562 https://access.redhat.com/security/cve/CVE-2022-0617 https://access.redhat.com/security/cve/CVE-2022-0854 https://access.redhat.com/security/cve/CVE-2022-0865 https://access.redhat.com/security/cve/CVE-2022-0891 https://access.redhat.com/security/cve/CVE-2022-0908 https://access.redhat.com/security/cve/CVE-2022-0909 https://access.redhat.com/security/cve/CVE-2022-0924 https://access.redhat.com/security/cve/CVE-2022-1016 https://access.redhat.com/security/cve/CVE-2022-1048 https://access.redhat.com/security/cve/CVE-2022-1055 https://access.redhat.com/security/cve/CVE-2022-1184 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-1355 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1852 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2078 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-2586 https://access.redhat.com/security/cve/CVE-2022-2639 https://access.redhat.com/security/cve/CVE-2022-2938 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-20368 https://access.redhat.com/security/cve/CVE-2022-21499 https://access.redhat.com/security/cve/CVE-2022-21618 https://access.redhat.com/security/cve/CVE-2022-21619 https://access.redhat.com/security/cve/CVE-2022-21624 https://access.redhat.com/security/cve/CVE-2022-21626 https://access.redhat.com/security/cve/CVE-2022-21628 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-22844 https://access.redhat.com/security/cve/CVE-2022-23960 https://access.redhat.com/security/cve/CVE-2022-24448 https://access.redhat.com/security/cve/CVE-2022-25255 https://access.redhat.com/security/cve/CVE-2022-26373 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-27404 https://access.redhat.com/security/cve/CVE-2022-27405 https://access.redhat.com/security/cve/CVE-2022-27406 https://access.redhat.com/security/cve/CVE-2022-27950 https://access.redhat.com/security/cve/CVE-2022-28390 https://access.redhat.com/security/cve/CVE-2022-28893 https://access.redhat.com/security/cve/CVE-2022-29581 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/cve/CVE-2022-36946 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-39399 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:8889-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8889
Issued Date: : 2022-12-08
CVE Names: CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 CVE-2020-36516 CVE-2020-36518 CVE-2020-36558 CVE-2021-3640 CVE-2021-30002 CVE-2022-0168 CVE-2022-0561 CVE-2022-0562 CVE-2022-0617 CVE-2022-0854 CVE-2022-0865 CVE-2022-0891 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-1016 CVE-2022-1048 CVE-2022-1055 CVE-2022-1184 CVE-2022-1292 CVE-2022-1304 CVE-2022-1355 CVE-2022-1586 CVE-2022-1785 CVE-2022-1852 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2078 CVE-2022-2097 CVE-2022-2509 CVE-2022-2586 CVE-2022-2639 CVE-2022-2938 CVE-2022-3515 CVE-2022-20368 CVE-2022-21499 CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-22844 CVE-2022-23960 CVE-2022-24448 CVE-2022-25255 CVE-2022-26373 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 CVE-2022-27950 CVE-2022-28390 CVE-2022-28893 CVE-2022-29581 CVE-2022-30293 CVE-2022-34903 CVE-2022-36946 CVE-2022-37434 CVE-2022-39399 CVE-2022-42003 CVE-2022-42004 CVE-2022-42898

Topic

Openshift Logging Bug Fix Release (5.3.14)Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3293 - log-file-metric-exporter container has not limits exhausting the resources of the node

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.