Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 476
Alerts This Week
Warning Icon 1 476

RedHat: RHSA-2023-5379 Important: Network Observability 1.4.0 ReDoS

red hat
Calendar Grey September 28, 2023
Dist Redhat Esm H88
The update from Red Hat on Network Insights 1.4.0 emphasizes critical enhancements, vulnerabilities addressed, and guidelines for implementation.
Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

Network Observability 1.4.0
Security Fix(es):
* word-wrap: Regular Expression Denial of Service (CVE-2023-26115)
* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

References

https://access.redhat.com/security/cve/CVE-2022-25883 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-26115 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28322 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:5379-01
Product: Network Observability
Issue date: 2023-09-28

Topic

Network Observability is an OpenShift operator that deploys a monitoringpipeline to collect and enrich network flows that are produced by theNetwork Observability eBPF agent.The operator provides dashboards, metrics, and keeps flows accessible in aqueryable log store, Grafana Loki. When a FlowCollector is deployed, newdashboards are available in the Console.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service

2216827 - CVE-2023-26115 word-wrap: ReDoS

5. JIRA issues fixed (https://issues.redhat.com/):

NETOBSERV-1009 - Export Netflows without Loki

NETOBSERV-1034 - Remove 1.0.x channel

NETOBSERV-1107 - Improve ebpf agent memory usage

NETOBSERV-1131 - Metrics do not ignore duplicates

NETOBSERV-1137 - UI Enhancements 1.4

NETOBSERV-1182 - add cluster name to flp configuration

NETOBSERV-1196 - Extend platform coverage for Network Observability

NETOBSERV-1224 - Flowcollector does not report status != Ready in OCP Console

NETOBSERV-1242 - Console plugin build infos

NETOBSERV-1283 - Not able to monitor Multus/SRIOV traffic on Network Observability Operator

NETOBSERV-139 - Flow dashboards enhancements (flow-based metrics)

NETOBSERV-962 - Add IPFIX exporter

NETOBSERV-975 - Flows dropped due to Loki stream limit during large traffic spikes

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.