Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2022:1461 - Security Advisory
Issued:
2022-04-20
Updated:
2022-04-20

RHSA-2022:1461 - Security Advisory

  • Overview

Synopsis

Important: Logging Subsystem 5.4 - Red Hat OpenShift Security and Bug update

Type/Severity

Security Advisory: Important

Topic

Logging Subsystem 5.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Logging Subsystem 5.4 - Red Hat OpenShift

Security Fix(es):

  • kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)
  • prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

For Red Hat OpenShift Logging 5.4, see the following instructions to apply this update:

https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-upgrading.html

Affected Products

  • Logging Subsystem for Red Hat OpenShift for ARM 64 5 for RHEL 8 aarch64
  • Logging Subsystem for Red Hat OpenShift 5 for RHEL 8 x86_64
  • Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 for RHEL 8 ppc64le
  • Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 for RHEL 8 s390x

Fixes

  • BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
  • BZ - 2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks
  • LOG-1774 - The collector logs should be excluded in fluent.conf
  • LOG-1896 - CLO panic: runtime error: slice bounds out of range [:-1]
  • LOG-1912 - Vector image ref breaks 5.3 build
  • LOG-1918 - Alert `FluentdNodeDown` always firing
  • LOG-1919 - Logging link is not removed when CLO is uninstalled or its instance is removed
  • LOG-2026 - No datapoint for CPU on openshift-logging dashboard
  • LOG-2052 - [vector]Infra logs aren't collected correctly
  • LOG-2056 - Wrong certificates used by fluentd when log forwarding to external Elasticsearch and defined structuredTypeKey
  • LOG-2069 - [release-5.4]Log collected dashboard displays wrong namespace
  • LOG-2070 - [Vector] Collector pods fail to start when a ClusterLogForwarder is created to forward logs to Kafka.
  • LOG-2071 - [release-5.4] The configmap grafana-dashboard-cluster-logging can not be updated
  • LOG-2072 - [Vector] Collector pods fail to start when a ClusterLogForwarder instance is created to forward logs to multiple log stores.
  • LOG-2076 - [Vector] Basic auth credentials are not added to the generated Vector config
  • LOG-2093 - EO Self-generated certificates issue with Kibana when "logging.openshift.io/elasticsearch-cert-management: true" annotation is used
  • LOG-2107 - CLO instance to deploy Vector not working.
  • LOG-2119 - Elasticsearch pod is throwing ElasticsearchSecurityException when running delete by query
  • LOG-2120 - EO becomes CrashLoopBackOff when deploy ES with more than 3 nodes
  • LOG-2121 - LokiStack components/pods are not coming up due to CrashLoopBackOff error
  • LOG-2124 - Binary Manager issue in downstream Loki Operator image
  • LOG-2130 - Vector - Collector pods fails to start when forwarding logs to Loki using tenantKey
  • LOG-2131 - ES Operator Stuck on Quota after Upgrade
  • LOG-2156 - Dashboard for OpenShift Logging in WebConsole shows incorrect number of shards
  • LOG-2157 - Vector: Getting error 'error=unknown field `username`' when forwarding logs to Loki using HTTPS
  • LOG-2160 - [Logging 5.4]Logs under openshift-* projects are sent to app* index when using fluentd as collector
  • LOG-2161 - Cronjob elasticsearch-im-prune-app keeps recreating after enabling delete by query
  • LOG-2163 - Openshift Logging Dashboard is not available in console
  • LOG-2166 - [Vector]CLO doesn't create correct configurations when forwarding different type logs to different log stores.
  • LOG-2174 - [vector] ES rejects logs due to MapperParsingException
  • LOG-2210 - Delete by query doesn't delete all the projects' logs defined in retentionPolicy
  • LOG-2211 - [loki-operator]The kube-rbac-proxy is too old ( v4.5.0)
  • LOG-2212 - [loki-operator] Configure Error in ClusterServiceVersion
  • LOG-2218 - support ARM64 for loki-operator images
  • LOG-2220 - Fluentd collector not setting labels from /var/log/pods paths
  • LOG-2221 - The lokistack deployment should continue after the missing secret is created
  • LOG-2224 - LokiStack components are not restarted on ConfigMap change
  • LOG-2226 - [loki-operator] Must use the global namespace openshift-operators or openshift-operators-redhat
  • LOG-2236 - An inner error is swallowed
  • LOG-2249 - [Vector] Incorrect sinks.loki_server.labels config for kubernetes_host and kubernetes_namespace_name
  • LOG-2250 - [Logging 5.4] EO doesn't recreate secrets kibana and kibana-proxy after removing them.
  • LOG-2255 - [Vector] Forwarder does not handle input namespace selectors.
  • LOG-2259 - [Vector] Configuration error ?error=redefinition of table? when forwarding logs from different namespaces.
  • LOG-2278 - [loki-operator] SRV lookup for components fails because of service name mismatch
  • LOG-2286 - Prometheus can't watch pods/endpoints/services in openshift-logging namespace when only the CLO is deployed.
  • LOG-2327 - [loki-operator] Loki components report connection errors related to kube-probe
  • LOG-2352 - loki-operator controller pod in CrashLoopBackOff status
  • LOG-2373 - [release-5.4] Logging link should contain an icon
  • LOG-2375 - Vector preview does not update Status
  • LOG-2381 - [Vector] [5.4] Collector pods fail to start with configuration error=unknown variant `internal_metrics`
  • LOG-2383 - The lokistack still bind s3 when secret.type is azure
  • LOG-2392 - CLO's loki output url is parsed wrongly
  • LOG-2398 - [Vector][5.4] Journal logs not reaching Elasticsearch output
  • LOG-2425 - lokistack: Common users can not view their pods logs
  • LOG-2438 - api/logs/v1/audit/loki/api/v1/push 302 Found failed to find token
  • LOG-2441 - Remove OpenShift 4.8 from Logging 5.4 support list
  • LOG-2487 - The loki-operator can not be upgraded
  • LOG-2115 - Incident: Loki Ingester experiencing 50% errors.
  • LOG-2246 - [loki-operator] Degraded status immediately reset when no pod actions are pending
  • LOG-2430 - Enable vector functional and e2e tests for preview, or document gaps
  • LOG-2099 - [release-5.4] Events listing out of order in Kibana 6.8.1
  • LOG-2171 - [Logging 5.4]ES pods can't be ready after removing secret/signing-elasticsearch
  • LOG-2299 - Loki tenant configuration invalid for fluentd output plugin used
  • LOG-2302 - [Logging 5.4] Elasticsearch cluster upgrade stuck
  • LOG-2351 - [Logging 5.4] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"
  • LOG-2379 - [release-5.4] Allow users to tune fluentd
  • LOG-2397 - Reconcile Error on Loki controller manager after LokiStack size is changed
  • LOG-1899 - http.max_header_size set to 128kb causes communication with elasticsearch to stop working
  • LOG-2462 - Fluentd collected metric should track either /var/log/pods or /var/log/containers

CVEs

  • CVE-2022-0759
  • CVE-2022-21698

References

  • https://access.redhat.com/security/updates/classification/#important

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility