RedHat: RHSA-2023-5379 Important: Network Observability 1.4.0 ReDoS
Sep 28, 2023
•
LinuxSecurity Advisories
2 - 3 min read
Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Network Observability 1.4.0 for OpenShift
Advisory ID: RHSA-2023:5379-01
Product: Network Observability
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5379
Issue date: 2023-09-28
CVE Names: CVE-2022-25883 CVE-2023-2602 CVE-2023-2603
CVE-2023-26115 CVE-2023-28321 CVE-2023-28322
CVE-2023-28484 CVE-2023-29469
=====================================================================
1. Summary:
Network Observability is an OpenShift operator that deploys a monitoring
pipeline to collect and enrich network flows that are produced by the
Network Observability eBPF agent.
The operator provides dashboards, metrics, and keeps flows accessible in a
queryable log store, Grafana Loki. When a FlowCollector is deployed, new
dashboards are available in the Console.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Network Observability 1.4.0
Security Fix(es):
* word-wrap: Regular Expression Denial of Service (CVE-2023-26115)
* nodejs-semver: Regular expression denial of service (CVE-2022-25883)
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service
2216827 - CVE-2023-26115 word-wrap: ReDoS
5. JIRA issues fixed (https://issues.redhat.com/):
NETOBSERV-1009 - Export Netflows without Loki
NETOBSERV-1034 - Remove 1.0.x channel
NETOBSERV-1107 - Improve ebpf agent memory usage
NETOBSERV-1131 - Metrics do not ignore duplicates
NETOBSERV-1137 - UI Enhancements 1.4
NETOBSERV-1182 - add cluster name to flp configuration
NETOBSERV-1196 - Extend platform coverage for Network Observability
NETOBSERV-1224 - Flowcollector does not report status != Ready in OCP Console
NETOBSERV-1242 - Console plugin build infos
NETOBSERV-1283 - Not able to monitor Multus/SRIOV traffic on Network Observability Operator
NETOBSERV-139 - Flow dashboards enhancements (flow-based metrics)
NETOBSERV-962 - Add IPFIX exporter
NETOBSERV-975 - Flows dropped due to Loki stream limit during large traffic spikes
6. References:
https://access.redhat.com/security/cve/CVE-2022-25883
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-26115
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28322
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/updates/classification/#important
7. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJlFPJvAAoJENzjgjWX9erE6ocQAIq2UqNWebhHVR6RWz5DNPKV
vN3p9UFDDV6218CnhSJ8utdpDfuf/QbiM4SD5oLjgwqkcT55CvHMG3FsDrBSoun7
ihpibVNkK9SD5gyUAtBWYO9jlxuMeDn1FqJqHo4bzVllq1oVQYtZp6FLp+zxrUX0
X7b0NbYsuR2cqec4d01eZvnfEGouvSMS0UnUJzCNZ5837SxND11jbwdYMXeJDZNL
vftwDdcVaDXycy4bzK7iuw4ckoZLm30rmuKONbDrwID+tTqQXi2T7cqz3F+OxO6+
N9vLDY6xkOkzVUQtKvC7GYc4lHYZaJycm9KViYhgAF2US9L+vv4sbuyyVM6zpN3t
B5+6I0tKX9kJyKpY7hDU9OTtIO2t8mZiTlkhNKv8oBE4AyfMWwbqS/4AGWBea1yN
RQlRsMDKnv/qVgT380ckkkD7ksPEnxEy9ZMAvZ0ElQLrtKNPkwXQFhgCu/3QphWJ
epieCp3IQiXZaHJeX31E26v3PcwCoeder/FsyRfgNINpLe+WLLSqkbDWvVQHsKHM
mfbh/089ps5grHOD8aAv+w25OwbQGQZ1x65nxn4AAfFKtn1+JcRTpuvqZILXAn+f
Nst3KqcTO0EDxMO/H7Gi2pTTHvDWzdgvRpkz3RXVyK7IjmqM0tqRXBGvRh45QNfx
pKJwnAnKS+8ITelhsQGZ
=mX3+
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
PREVIOUS
NEXT
RedHat: RHSA-2023-5379 Important: Network Observability 1.4.0 ReDoS
red hat
September 28, 2023
Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Summary
Network Observability 1.4.0
Security Fix(es):
* word-wrap: Regular Expression Denial of Service (CVE-2023-26115)
* nodejs-semver: Regular expression denial of service (CVE-2022-25883)
References
https://access.redhat.com/security/cve/CVE-2022-25883 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-26115 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28322 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/updates/classification/#important
Package List
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2023:5379-01
Product: Network Observability
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5379
Issue date: 2023-09-28
Topic
Network Observability is an OpenShift operator that deploys a monitoringpipeline to collect and enrich network flows that are produced by theNetwork Observability eBPF agent.The operator provides dashboards, metrics, and keeps flows accessible in aqueryable log store, Grafana Loki. When a FlowCollector is deployed, newdashboards are available in the Console.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Bugs Fixed
2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service
2216827 - CVE-2023-26115 word-wrap: ReDoS
5. JIRA issues fixed (https://issues.redhat.com/):
NETOBSERV-1009 - Export Netflows without Loki
NETOBSERV-1034 - Remove 1.0.x channel
NETOBSERV-1107 - Improve ebpf agent memory usage
NETOBSERV-1131 - Metrics do not ignore duplicates
NETOBSERV-1137 - UI Enhancements 1.4
NETOBSERV-1182 - add cluster name to flp configuration
NETOBSERV-1196 - Extend platform coverage for Network Observability
NETOBSERV-1224 - Flowcollector does not report status != Ready in OCP Console
NETOBSERV-1242 - Console plugin build infos
NETOBSERV-1283 - Not able to monitor Multus/SRIOV traffic on Network Observability Operator
NETOBSERV-139 - Flow dashboards enhancements (flow-based metrics)
NETOBSERV-962 - Add IPFIX exporter
NETOBSERV-975 - Flows dropped due to Loki stream limit during large traffic spikes
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!