-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.7.4 - Red Hat OpenShift bug fix and security update
Advisory ID:       RHSA-2023:4341-01
Product:           Logging Subsystem for Red Hat OpenShift
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4341
Issue date:        2023-08-02
CVE Names:         CVE-2022-25883 CVE-2023-22796 
=====================================================================

1. Summary:

Logging Subsystem 5.7.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.7.4 - Red Hat OpenShift

Security Fix(es):

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* rubygem-activesupport: Regular Expression Denial of Service
(CVE-2023-22796)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2164736 - CVE-2023-22796 rubygem-activesupport: Regular Expression Denial of Service
2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2701 - [Vector] [Cloudwatch] namespaceUUID is not added to logGroupName when forwarding logs to Cloudwatch.
LOG-3880 - Deprecated `curation` and `forwarder` are displayed in the console when creating clusterlogging via `Form view`. 
LOG-4015 - [Vector][Loki] vector_component_sent_bytes_total metric for Loki sink not exposed by vector.
LOG-4073 - Invalid link to doc from installed operator in OpenShift Web Console
LOG-4237 - Regression with Red Hat OpenShift Logging 5.7.2 
LOG-4242 - Vector pods raise `Configuration error` when forwarding to cloudwatch/googlecloudlogging with tlsSecurityProfile configured.
LOG-4275 - [release-5.7] Vector pods going into a panic state 
LOG-4302 - CLO raises error message "URL not secure: , but output gcp-logging has TLS configuration parameters" if add tls.securityProfile to CLF when forwarding to googlecloudlogging/cloudwatch.
LOG-4361 - [release-5.7] Setting custom options on the application tenant removes user-alertmanager configuration
LOG-4368 - [release-5.7] sts cloudwatch issues after upgrading from 5.5
LOG-4389 - [release-5.7] Query Label Values from Loki return duplicate values.

6. References:

https://access.redhat.com/security/cve/CVE-2022-25883
https://access.redhat.com/security/cve/CVE-2023-22796
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJkymZDAAoJENzjgjWX9erEOvsP/1qyYiieOWJY/r4PPOJ6nYDH
t+CegcwyG9rGlMn0+UibYtmmuiH4iYRV+iWDcU9h1yeGWt1Xp1BYS1lOTZ2+1rao
FmiTGZoOLJXeBhy2ZTMm6JG6HCCazUVlLLlQyXU2SZ24l/2fi9OZ4zl/1Dn6tibZ
YW7EHpuJRv5WqJHOrYZi4AoMj1DZYHsAuZDF/eqT92liwypJD2dsYt8FM19BeiTG
9hSEV0YSU+BG+41sLs5dP/sUp1SE1vm31/zRCZPxSRaQPnABapTMpvnrPHIUgSa0
iPTzYcTLiBsLL7wEz7zrvtKvLcZyyY/O59Id/n1qLP4RXUFgmYKe2x63fOxLVbX5
n4aY9tfmEuyWqji90NTHvtKI+HAHmJoKZRLm6alBDXQuotId/IWrY8/XipIQWEtC
CZC4eZ/DjtBeacO1coRhUc6uNigxik/nEmZ+F4v3MyooTm82RBbVOcEyQH2H/cZ4
902EYa2kmLJSj4EndkV0KWlWUHf12nEF3rvpX8CtVlaGvs8a+76eGEQjEH7oZS1D
rWw6IWxkd9wqnzIqv++qOwW2VTKkgpUDR1AwoJ+kxqewoYZj3W821m2HAskuVqGj
xjSFyFNZOtQhvMEy6rgZA3seSaoK+RiP7KcrOAfq+Ay8LYZYLkkjwt8DI5B5Au8G
FFwpxI/YB+KCwc2hUxVH
=hBt4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-4341:01 Moderate: Logging Subsystem 5.7.4 - Red Hat

Logging Subsystem 5.7.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Low

Summary

Logging Subsystem 5.7.4 - Red Hat OpenShift
Security Fix(es):
* nodejs-semver: Regular expression denial of service (CVE-2022-25883)
* rubygem-activesupport: Regular Expression Denial of Service (CVE-2023-22796)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-25883 https://access.redhat.com/security/cve/CVE-2023-22796 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2023:4341-01
Product: Logging Subsystem for Red Hat OpenShift
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4341
Issued Date: : 2023-08-02
CVE Names: CVE-2022-25883 CVE-2023-22796

Topic

Logging Subsystem 5.7.4 - Red Hat OpenShiftRed Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2164736 - CVE-2023-22796 rubygem-activesupport: Regular Expression Denial of Service

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2701 - [Vector] [Cloudwatch] namespaceUUID is not added to logGroupName when forwarding logs to Cloudwatch.

LOG-3880 - Deprecated `curation` and `forwarder` are displayed in the console when creating clusterlogging via `Form view`.

LOG-4015 - [Vector][Loki] vector_component_sent_bytes_total metric for Loki sink not exposed by vector.

LOG-4073 - Invalid link to doc from installed operator in OpenShift Web Console

LOG-4237 - Regression with Red Hat OpenShift Logging 5.7.2

LOG-4242 - Vector pods raise `Configuration error` when forwarding to cloudwatch/googlecloudlogging with tlsSecurityProfile configured.

LOG-4275 - [release-5.7] Vector pods going into a panic state

LOG-4302 - CLO raises error message "URL not secure: , but output gcp-logging has TLS configuration parameters" if add tls.securityProfile to CLF when forwarding to googlecloudlogging/cloudwatch.

LOG-4361 - [release-5.7] Setting custom options on the application tenant removes user-alertmanager configuration

LOG-4368 - [release-5.7] sts cloudwatch issues after upgrading from 5.5

LOG-4389 - [release-5.7] Query Label Values from Loki return duplicate values.


Related News

6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap
5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved