RedHat: RHSA-2023-0264:01 Moderate: Red Hat OpenShift (Logging Subs...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift (Logging Subsystem) security update
Advisory ID:       RHSA-2023:0264-01
Product:           Logging Subsystem for Red Hat OpenShift
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0264
Issue date:        2023-01-19
CVE Names:         CVE-2020-36518 CVE-2022-2879 CVE-2022-2880 
                   CVE-2022-27664 CVE-2022-32190 CVE-2022-37601 
                   CVE-2022-41715 CVE-2022-42003 CVE-2022-42004 
=====================================================================

1. Summary:

An update for Logging Subsystem (5.6.0) is now available for Red Hat
OpenShift Container Platform.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.6.0 - Red Hat OpenShift

* logging-view-plugin-container: loader-utils: prototype pollution in
function parseQuery in parseQuery.js (CVE-2022-37601)
* logging-elasticsearch6-container: jackson-databind: denial of service via
a large depth of nested objects (CVE-2020-36518)
* logging-loki-container: various flaws (CVE-2022-2879 CVE-2022-2880
CVE-2022-41715)
* logging-loki-container: golang: net/https: handle server errors after
sending GOAWAY (CVE-2022-27664)
* golang: net/url: JoinPath does not strip relative path components in all
circumstances (CVE-2022-32190)
* org.elasticsearch-elasticsearch: jackson-databind: deep wrapper array
nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* org.elasticsearch-elasticsearch: jackson-databind: use of deeply nested
arrays (CVE-2022-42004)

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
2124669 - CVE-2022-27664 golang: net/https: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-2217 - [Vector] Loss of logs when using Vector as collector. 
LOG-2620 - containers violate PodSecurity -- Core
LOG-2819 - the `.level` field they are getting the "ERROR" but in `.structure.level` field they are getting "INFO"
LOG-2822 - Evaluating rule failure in LokiRuler pods for Alerting and recording rules
LOG-2843 - tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls
LOG-2919 - CLO is constantly failing to create already existing logging objects (HTTP 409)
LOG-2962 - Add the `version` file to Must-Gather archive
LOG-2993 - consoleexternalloglinks.console.openshift.io/kibana should be removed once Kibana is deleted
LOG-3072 - Non-admin user with 'view' role can't see any logs in 'Logs' view
LOG-3090 - Custom outputs defined in ClusterLogForwarder overwritten when using LokiStack as default log storage
LOG-3129 - Kibana Authentication Exception cookie issue
LOG-3157 - Resources associated with collector / fluentd keep on getting recreated
LOG-3161 - the content of secret elasticsearch-metrics-token is recreated continually
LOG-3168 - Ruler pod throwing 'failed loading deletes for user' error after alerting/recording rules are created
LOG-3169 - Unable to install Loki operator from upstream repo on OCP 4.12
LOG-3180 - fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
LOG-3186 - [Loki] unable to determine tls profile settings when creating a LokiStack instance with custom global tlsSecurityProfile config
LOG-3194 - Collector pod violates PodSecurity "restricted:v1.24" when using lokistack as the default log store in OCP 4.12.
LOG-3195 - [Vector] logs parsed into structured when json is set without structured types.
LOG-3208 - must-gather is empty for logging with CLO image
LOG-3224 - Can't forward logs to non-clusterlogging managed ES using vector.
LOG-3235 - cluster-logging.5.5.3 failing to deploy on ROSA
LOG-3286 - LokiStack doesn't reconcile to use the changed tlsSecurityProfile set in the global config.
LOG-3292 - Loki Controller manager in CrashLoop due to failure to list *v1.Proxy
LOG-3296 - Cannot use default Replication Factor for shirt size
LOG-3309 - Can't choose correct CA ConfigMap Key when creating lokistack in Console
LOG-3324 - [vector] the key_pass should be text in vector.toml when forward log to splunk
LOG-3331 - [release-5.6] Reconcile error on controller when creating LokiStack with tls config
LOG-3446 - [must-gather] oc adm must-gather execution hangs indefinitely when collecting information for Cluster Logging.

6. References:

https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-32190
https://access.redhat.com/security/cve/CVE-2022-37601
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY8lxEdzjgjWX9erEAQhoGg/+OiJ2IFsII+q6Wfgq/ydTYUEsXtJ/Nn8V
GZrM9nVfOSa4HIwWytNHtPyuKqEUy2sZ8WIlXXZNfB/0Nxavpj/F0Dv0TESn4DT9
Og+Dhb/ix4vFsWWy15E8yUNJQREpJb55Ita1tqTfVMZryZ8jbp2FPuUSzt3RSmnM
ymNnacKEsDUBrEP3PPRCoXmRSZf8XgLAD4NyJCXmebdEjhT21C/m0jpnElHoCs2i
jlzzW7UhWc7ENVly5RoEKPP4rvSOX+0Hay4mQNYOLaNkBkaBz4bod+feI8ros2iy
UZ5ln4kBhNJ6XSqOValOU9+OkTGbEmRqymUW/x2GLucwD6ATsRjoM6YdE8aZuavW
h3fMIREQ+VM693fKahVwQjc3dnK5dtICi0kaPKTaSbhnwa2iXQTu/6JXssSwZWEj
hBpmQpda58v6nBb3ykaEd1JshXIzueuNUG1gH1xsAhoKb/KAPZpl9rMQrJejHBKl
wYS8MlO2aDIJ8zjLKqrVXndgJJEy6KHJLCeGhaWV6W8YAvcYv3zQbjSTwTMeftbu
eIMMqnhhfxj56qgaYqmVU4sL3pnApS8ZfBRuz6tYh02w5/1OE7ad47mSSrsl36cH
45oRaogk2F0sbbr/u3f74ffKXPUfdtTQGrrisodOxxnJQPKTThB8/y9Zr2UF2LPR
UWAAu0JN5A0=
=O7hQ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-0264:01 Moderate: Red Hat OpenShift (Logging Subsystem)

An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform

Summary

Logging Subsystem 5.6.0 - Red Hat OpenShift
* logging-view-plugin-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601) * logging-elasticsearch6-container: jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * logging-loki-container: various flaws (CVE-2022-2879 CVE-2022-2880 CVE-2022-41715) * logging-loki-container: golang: net/https: handle server errors after sending GOAWAY (CVE-2022-27664) * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190) * org.elasticsearch-elasticsearch: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * org.elasticsearch-elasticsearch: jackson-databind: use of deeply nested arrays (CVE-2022-42004)

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-37601 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2023:0264-01
Product: Logging Subsystem for Red Hat OpenShift
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0264
Issued Date: : 2023-01-19
CVE Names: CVE-2020-36518 CVE-2022-2879 CVE-2022-2880 CVE-2022-27664 CVE-2022-32190 CVE-2022-37601 CVE-2022-41715 CVE-2022-42003 CVE-2022-42004

Topic

An update for Logging Subsystem (5.6.0) is now available for Red HatOpenShift Container Platform.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances

2124669 - CVE-2022-27664 golang: net/https: handle server errors after sending GOAWAY

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers

2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters

2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps

2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-2217 - [Vector] Loss of logs when using Vector as collector.

LOG-2620 - containers violate PodSecurity -- Core

LOG-2819 - the `.level` field they are getting the "ERROR" but in `.structure.level` field they are getting "INFO"

LOG-2822 - Evaluating rule failure in LokiRuler pods for Alerting and recording rules

LOG-2843 - tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls

LOG-2919 - CLO is constantly failing to create already existing logging objects (HTTP 409)

LOG-2962 - Add the `version` file to Must-Gather archive

LOG-2993 - consoleexternalloglinks.console.openshift.io/kibana should be removed once Kibana is deleted

LOG-3072 - Non-admin user with 'view' role can't see any logs in 'Logs' view

LOG-3090 - Custom outputs defined in ClusterLogForwarder overwritten when using LokiStack as default log storage

LOG-3129 - Kibana Authentication Exception cookie issue

LOG-3157 - Resources associated with collector / fluentd keep on getting recreated

LOG-3161 - the content of secret elasticsearch-metrics-token is recreated continually

LOG-3168 - Ruler pod throwing 'failed loading deletes for user' error after alerting/recording rules are created

LOG-3169 - Unable to install Loki operator from upstream repo on OCP 4.12

LOG-3180 - fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs

LOG-3186 - [Loki] unable to determine tls profile settings when creating a LokiStack instance with custom global tlsSecurityProfile config

LOG-3194 - Collector pod violates PodSecurity "restricted:v1.24" when using lokistack as the default log store in OCP 4.12.

LOG-3195 - [Vector] logs parsed into structured when json is set without structured types.

LOG-3208 - must-gather is empty for logging with CLO image

LOG-3224 - Can't forward logs to non-clusterlogging managed ES using vector.

LOG-3235 - cluster-logging.5.5.3 failing to deploy on ROSA

LOG-3286 - LokiStack doesn't reconcile to use the changed tlsSecurityProfile set in the global config.

LOG-3292 - Loki Controller manager in CrashLoop due to failure to list *v1.Proxy

LOG-3296 - Cannot use default Replication Factor for shirt size

LOG-3309 - Can't choose correct CA ConfigMap Key when creating lokistack in Console

LOG-3324 - [vector] the key_pass should be text in vector.toml when forward log to splunk

LOG-3331 - [release-5.6] Reconcile error on controller when creating LokiStack with tls config

LOG-3446 - [must-gather] oc adm must-gather execution hangs indefinitely when collecting information for Cluster Logging.

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.