-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift (Logging Subsystem) security update
Advisory ID:       RHSA-2023:0634-01
Product:           Logging Subsystem for Red Hat OpenShift
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0634
Issue date:        2023-02-09
CVE Names:         CVE-2021-35065 CVE-2021-46848 CVE-2022-3821 
                   CVE-2022-4883 CVE-2022-35737 CVE-2022-40303 
                   CVE-2022-40304 CVE-2022-42010 CVE-2022-42011 
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-43680 
                   CVE-2022-44617 CVE-2022-46175 CVE-2022-46285 
====================================================================
1. Summary:

Logging Subsystem 5.6.1 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.6.1 - Red Hat OpenShift

Security Fix(es):

* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service

5. JIRA issues fixed (https://issues.redhat.com/plugins/servlet/samlsso

LOG-3397 - [Developer Console] "parse error" when testing with normal user
LOG-3441 - [Administrator Console] Seeing "parse error" while using Severity filter for cluster view user
LOG-3463 - [release-5.6] ElasticsearchError error="400 - Rejected by Elasticsearch" when adding some labels in application namespaces 
LOG-3477 - [Logging 5.6.0]CLF raises 'invalid: unrecognized outputs: [default]' after adding `default` to outputRefs.
LOG-3494 - [release-5.6] After querying logs in loki, compactor pod raises many TLS handshake error if retention policy is enabled. 
LOG-3496 - [release-5.6] LokiStack status is still 'Pending' when all loki components are running
LOG-3510 - [release-5.6] TLS errors on Loki controller pod due to bad certificate

6. References:

https://access.redhat.com/security/cve/CVE-2021-35065
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-3821
https://access.redhat.com/security/cve/CVE-2022-4883
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/cve/CVE-2022-44617
https://access.redhat.com/security/cve/CVE-2022-46175
https://access.redhat.com/security/cve/CVE-2022-46285
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY+VrodzjgjWX9erEAQhJHxAAjYeOHe6O2pl6MFdHqTfER/9rMjZqgo6z
u4AkFcT625z+SEyIHz/xqD41KCkWfDCL0i7MabKHhOnXd5jDhIveFy/kTsNu4Jyb
DCstNACisLM2B4ytXCkfR7pOj20BZlO5IY14zK+rOPJeu3uF7kKF332ELhvDJQHZ
9iZa0yLdebgJVjK072WYioQqBHUWus7dkmKTMpbud/TmaMVivVGPhpKo449hJSMI
8c2K3YMG0Cx1IBfZk1yugGHstNkNP/zAVMyx1jYtfBzfap5xX0djfkanDGtwXGdG
Qsqhks+tXj1SJdrQMwOXr2D9hETnLz56lYKTd3GF+3qYJiEJ+niJj47f5IBnJSep
abSduOiaYxzZu8eOwMJ9sD/yrYBPxi2pH8pvDjo5gJ/eRowEFtHeuXbpSPv9+0OP
Ot5TJVYQaJ7sPKwleFPrB0IE42IXYPACMLwLEYLdq+bZhzsMLr3gAuCfK7oqIx/m
7V9gAHD13BDU3aJlgAu/KsFxL8SopABcCfbXlktBgFVQF43s9eoGTlUTGPWQ5Stm
t1SD85kYd5kOQk1qt25X9OLVs6tOeHQeFLOd4UBNf9cmzA2K+jlAEerwayTOHJNW
H3LRkX/8FA4HFYX4aX0sB38pP3DZyPTeVj++QDQLk+k3y53dFRcfexi7tSeul/bw
7CsN2+c4hI0=1so9
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-0634:01 Moderate: Red Hat OpenShift (Logging Subsystem)

Logging Subsystem 5.6.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Logging Subsystem 5.6.1 - Red Hat OpenShift
Security Fix(es):
* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-35065 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-3821 https://access.redhat.com/security/cve/CVE-2022-4883 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-43680 https://access.redhat.com/security/cve/CVE-2022-44617 https://access.redhat.com/security/cve/CVE-2022-46175 https://access.redhat.com/security/cve/CVE-2022-46285 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2023:0634-01
Product: Logging Subsystem for Red Hat OpenShift
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0634
Issued Date: : 2023-02-09
CVE Names: CVE-2021-35065 CVE-2021-46848 CVE-2022-3821 CVE-2022-4883 CVE-2022-35737 CVE-2022-40303 CVE-2022-40304 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 CVE-2022-43680 CVE-2022-44617 CVE-2022-46175 CVE-2022-46285

Topic

Logging Subsystem 5.6.1 - Red Hat OpenShiftRed Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method

2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service

5. JIRA issues fixed (https://issues.redhat.com/plugins/servlet/samlsso

LOG-3397 - [Developer Console] "parse error" when testing with normal user

LOG-3441 - [Administrator Console] Seeing "parse error" while using Severity filter for cluster view user

LOG-3463 - [release-5.6] ElasticsearchError error="400 - Rejected by Elasticsearch" when adding some labels in application namespaces

LOG-3477 - [Logging 5.6.0]CLF raises 'invalid: unrecognized outputs: [default]' after adding `default` to outputRefs.

LOG-3494 - [release-5.6] After querying logs in loki, compactor pod raises many TLS handshake error if retention policy is enabled.

LOG-3496 - [release-5.6] LokiStack status is still 'Pending' when all loki components are running

LOG-3510 - [release-5.6] TLS errors on Loki controller pod due to bad certificate


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved