Red Hat Product Errata RHSA-2023:0264 - Security Advisory
Issued:
2023-01-19
Updated:
2023-01-19

RHSA-2023:0264 - Security Advisory

Synopsis

Moderate: Red Hat OpenShift (Logging Subsystem) security update

Type/Severity

Security Advisory: Moderate

Topic

An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Logging Subsystem 5.6.0 - Red Hat OpenShift

  • logging-view-plugin-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601)
  • logging-elasticsearch6-container: jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
  • logging-loki-container: various flaws (CVE-2022-2879 CVE-2022-2880 CVE-2022-41715)
  • logging-loki-container: golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
  • golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
  • org.elasticsearch-elasticsearch: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
  • org.elasticsearch-elasticsearch: jackson-databind: use of deeply nested arrays (CVE-2022-42004)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Logging Subsystem for Red Hat OpenShift for ARM 64 5 for RHEL 8 aarch64
  • Logging Subsystem for Red Hat OpenShift 5 for RHEL 8 x86_64
  • Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 for RHEL 8 ppc64le
  • Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 for RHEL 8 s390x

Fixes

  • BZ - 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
  • BZ - 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
  • BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
  • BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
  • BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
  • BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
  • BZ - 2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
  • BZ - 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
  • BZ - 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
  • LOG-2843 - tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls
  • LOG-2217 - [Vector] Loss of logs when using Vector as collector.
  • LOG-2620 - containers violate PodSecurity -- Core
  • LOG-2819 - the `.level` field they are getting the "ERROR" but in `.structure.level` field they are getting "INFO"
  • LOG-2822 - Evaluating rule failure in LokiRuler pods for Alerting and recording rules
  • LOG-2919 - CLO is constantly failing to create already existing logging objects (HTTP 409)
  • LOG-2962 - Add the `version` file to Must-Gather archive
  • LOG-2993 - consoleexternalloglinks.console.openshift.io/kibana should be removed once Kibana is deleted
  • LOG-3072 - Non-admin user with 'view' role can't see any logs in 'Logs' view
  • LOG-3090 - Custom outputs defined in ClusterLogForwarder overwritten when using LokiStack as default log storage
  • LOG-3129 - Kibana Authentication Exception cookie issue
  • LOG-3157 - Resources associated with collector / fluentd keep on getting recreated
  • LOG-3161 - the content of secret elasticsearch-metrics-token is recreated continually
  • LOG-3168 - Ruler pod throwing 'failed loading deletes for user' error after alerting/recording rules are created
  • LOG-3169 - Unable to install Loki operator from upstream repo on OCP 4.12
  • LOG-3180 - fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
  • LOG-3186 - [Loki] unable to determine tls profile settings when creating a LokiStack instance with custom global tlsSecurityProfile config
  • LOG-3194 - Collector pod violates PodSecurity "restricted:v1.24" when using lokistack as the default log store in OCP 4.12.
  • LOG-3195 - [Vector] logs parsed into structured when json is set without structured types.
  • LOG-3208 - must-gather is empty for logging with CLO image
  • LOG-3224 - Can't forward logs to non-clusterlogging managed ES using vector.
  • LOG-3235 - cluster-logging.5.5.3 failing to deploy on ROSA
  • LOG-3286 - LokiStack doesn't reconcile to use the changed tlsSecurityProfile set in the global config.
  • LOG-3292 - Loki Controller manager in CrashLoop due to failure to list *v1.Proxy
  • LOG-3296 - Cannot use default Replication Factor for shirt size
  • LOG-3309 - Can't choose correct CA ConfigMap Key when creating lokistack in Console
  • LOG-3324 - [vector] the key_pass should be text in vector.toml when forward log to splunk
  • LOG-3331 - [release-5.6] Reconcile error on controller when creating LokiStack with tls config
  • LOG-3446 - [must-gather] oc adm must-gather execution hangs indefinitely when collecting information for Cluster Logging.

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.