Red Hat Product Errata RHSA-2022:7055 - Security Advisory
Issued:
2022-10-19
Updated:
2022-10-19

RHSA-2022:7055 - Security Advisory

Synopsis

Moderate: RHOSDT 2.6.0 operator/operand containers Security Update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for Red Hat Openshift distributed tracing 2.6.0

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat OpenShift distributed tracing provides these changes:

Security Fix(es):

  • nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)
  • eventsource: Exposure of Sensitive Information (CVE-2022-1650)
  • moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
  • follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)
  • Moment.js: Path traversal in moment.locale (CVE-2022-24785)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift distributed tracing 2 x86_64
  • Red Hat OpenShift distributed tracing for Power, little endian 2 ppc64le
  • Red Hat OpenShift distributed tracing for IBM Z and LinuxONE 2 s390x

Fixes

  • BZ - 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
  • BZ - 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
  • BZ - 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale
  • BZ - 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
  • BZ - 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.