Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2022:1461 - Security Advisory
Issued:
2022-04-20
Updated:
2022-04-20

RHSA-2022:1461 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Logging Subsystem 5.4 - Red Hat OpenShift Security and Bug update

Type/Severity

Security Advisory: Important

Topic

Logging Subsystem 5.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Logging Subsystem 5.4 - Red Hat OpenShift

Security Fix(es):

  • kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)
  • prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

For Red Hat OpenShift Logging 5.4, see the following instructions to apply this update:

https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-upgrading.html

Affected Products

  • Logging Subsystem for Red Hat OpenShift 5 x86_64
  • Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 ppc64le
  • Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 s390x
  • Logging Subsystem for Red Hat OpenShift for ARM 64 5 aarch64

Fixes

  • BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
  • BZ - 2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks
  • LOG-1774 - The collector logs should be excluded in fluent.conf
  • LOG-1896 - CLO panic: runtime error: slice bounds out of range [:-1]
  • LOG-1912 - Vector image ref breaks 5.3 build
  • LOG-1918 - Alert `FluentdNodeDown` always firing
  • LOG-1919 - Logging link is not removed when CLO is uninstalled or its instance is removed
  • LOG-2026 - No datapoint for CPU on openshift-logging dashboard
  • LOG-2052 - [vector]Infra logs aren't collected correctly
  • LOG-2056 - Wrong certificates used by fluentd when log forwarding to external Elasticsearch and defined structuredTypeKey
  • LOG-2069 - [release-5.4]Log collected dashboard displays wrong namespace
  • LOG-2070 - [Vector] Collector pods fail to start when a ClusterLogForwarder is created to forward logs to Kafka.
  • LOG-2071 - [release-5.4] The configmap grafana-dashboard-cluster-logging can not be updated
  • LOG-2072 - [Vector] Collector pods fail to start when a ClusterLogForwarder instance is created to forward logs to multiple log stores.
  • LOG-2076 - [Vector] Basic auth credentials are not added to the generated Vector config
  • LOG-2093 - EO Self-generated certificates issue with Kibana when "logging.openshift.io/elasticsearch-cert-management: true" annotation is used
  • LOG-2107 - CLO instance to deploy Vector not working.
  • LOG-2119 - Elasticsearch pod is throwing ElasticsearchSecurityException when running delete by query
  • LOG-2120 - EO becomes CrashLoopBackOff when deploy ES with more than 3 nodes
  • LOG-2121 - LokiStack components/pods are not coming up due to CrashLoopBackOff error
  • LOG-2124 - Binary Manager issue in downstream Loki Operator image
  • LOG-2130 - Vector - Collector pods fails to start when forwarding logs to Loki using tenantKey
  • LOG-2131 - ES Operator Stuck on Quota after Upgrade
  • LOG-2156 - Dashboard for OpenShift Logging in WebConsole shows incorrect number of shards
  • LOG-2157 - Vector: Getting error 'error=unknown field `username`' when forwarding logs to Loki using HTTPS
  • LOG-2160 - [Logging 5.4]Logs under openshift-* projects are sent to app* index when using fluentd as collector
  • LOG-2161 - Cronjob elasticsearch-im-prune-app keeps recreating after enabling delete by query
  • LOG-2163 - Openshift Logging Dashboard is not available in console
  • LOG-2166 - [Vector]CLO doesn't create correct configurations when forwarding different type logs to different log stores.
  • LOG-2174 - [vector] ES rejects logs due to MapperParsingException
  • LOG-2210 - Delete by query doesn't delete all the projects' logs defined in retentionPolicy
  • LOG-2211 - [loki-operator]The kube-rbac-proxy is too old ( v4.5.0)
  • LOG-2212 - [loki-operator] Configure Error in ClusterServiceVersion
  • LOG-2218 - support ARM64 for loki-operator images
  • LOG-2220 - Fluentd collector not setting labels from /var/log/pods paths
  • LOG-2221 - The lokistack deployment should continue after the missing secret is created
  • LOG-2224 - LokiStack components are not restarted on ConfigMap change
  • LOG-2226 - [loki-operator] Must use the global namespace openshift-operators or openshift-operators-redhat
  • LOG-2236 - An inner error is swallowed
  • LOG-2249 - [Vector] Incorrect sinks.loki_server.labels config for kubernetes_host and kubernetes_namespace_name
  • LOG-2250 - [Logging 5.4] EO doesn't recreate secrets kibana and kibana-proxy after removing them.
  • LOG-2255 - [Vector] Forwarder does not handle input namespace selectors.
  • LOG-2259 - [Vector] Configuration error ?error=redefinition of table? when forwarding logs from different namespaces.
  • LOG-2278 - [loki-operator] SRV lookup for components fails because of service name mismatch
  • LOG-2286 - Prometheus can't watch pods/endpoints/services in openshift-logging namespace when only the CLO is deployed.
  • LOG-2327 - [loki-operator] Loki components report connection errors related to kube-probe
  • LOG-2352 - loki-operator controller pod in CrashLoopBackOff status
  • LOG-2373 - [release-5.4] Logging link should contain an icon
  • LOG-2375 - Vector preview does not update Status
  • LOG-2381 - [Vector] [5.4] Collector pods fail to start with configuration error=unknown variant `internal_metrics`
  • LOG-2383 - The lokistack still bind s3 when secret.type is azure
  • LOG-2392 - CLO's loki output url is parsed wrongly
  • LOG-2398 - [Vector][5.4] Journal logs not reaching Elasticsearch output
  • LOG-2425 - lokistack: Common users can not view their pods logs
  • LOG-2438 - api/logs/v1/audit/loki/api/v1/push 302 Found failed to find token
  • LOG-2441 - Remove OpenShift 4.8 from Logging 5.4 support list
  • LOG-2487 - The loki-operator can not be upgraded
  • LOG-2115 - Incident: Loki Ingester experiencing 50% errors.
  • LOG-2246 - [loki-operator] Degraded status immediately reset when no pod actions are pending
  • LOG-2430 - Enable vector functional and e2e tests for preview, or document gaps
  • LOG-2099 - [release-5.4] Events listing out of order in Kibana 6.8.1
  • LOG-2171 - [Logging 5.4]ES pods can't be ready after removing secret/signing-elasticsearch
  • LOG-2299 - Loki tenant configuration invalid for fluentd output plugin used
  • LOG-2302 - [Logging 5.4] Elasticsearch cluster upgrade stuck
  • LOG-2351 - [Logging 5.4] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"
  • LOG-2379 - [release-5.4] Allow users to tune fluentd
  • LOG-2397 - Reconcile Error on Loki controller manager after LokiStack size is changed
  • LOG-1899 - http.max_header_size set to 128kb causes communication with elasticsearch to stop working
  • LOG-2462 - Fluentd collected metric should track either /var/log/pods or /var/log/containers

CVEs

  • CVE-2022-0759
  • CVE-2022-21698

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Logging Subsystem for Red Hat OpenShift 5

SRPM
x86_64

Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5

SRPM
ppc64le

Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5

SRPM
s390x

Logging Subsystem for Red Hat OpenShift for ARM 64 5

SRPM
aarch64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter