RHSA-2024:0853 - Security Advisory

Topic

Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent.

The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console.

Description

Network Observability 1.5.0

Security Fix(es):

• CVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Network Observability (NETOBSERV) 1 for RHEL 9 x86_64
• Network Observability (NETOBSERV) for ARM 64 1 for RHEL 9 aarch64
• Network Observability (NETOBSERV) for IBM Power, little endian 1 for RHEL 9 ppc64le
• Network Observability (NETOBSERV) for IBM Z and LinuxONE 1 for RHEL 9 s390x

Fixes

• BZ - 2256413 - CVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()
• NETOBSERV-1134 - Console plugin enable notch does not work when register is false
• NETOBSERV-1305 - Fix bundle build warnings (features.operators.openshift.io)
• NETOBSERV-1351 - No graph for Flows Overhead
• NETOBSERV-1430 - Some flows are not seen as metrics (both prom and loki)
• NETOBSERV-1443 - Console plugin loki timeout should be configurable
• NETOBSERV-1464 - "Input size too long" error is not well understood
• NETOBSERV-1293 - flowcollector status oscillates between DeploymentInProgress and Ready
• NETOBSERV-1316 - Top X average DNS latencies panel has NaN values
• NETOBSERV-1380 - Empty/NaN graphs - invalid metric type selection
• NETOBSERV-1225 - Enablement of perflow RTT latency analysis
• NETOBSERV-1286 - Metrics and dashboard enhancements for Lokiless usage
• NETOBSERV-1311 - DNS tracking improvments
• NETOBSERV-1335 - Capture and expose DSCP field from IP header
• NETOBSERV-1341 - Expose metrics definitions via the CRD [dev preview]
• NETOBSERV-245 - Store cluster id and other metadata, enhance UI
• NETOBSERV-657 - NetFlow Table Enhancements 1.5
• NETOBSERV-676 - NetFlow Overview Enhancements 1.5
• NETOBSERV-763 - Easier configuration
• NETOBSERV-1313 - DNS tracking related panels are not loaded on default when feature is enabled

CVEs

• CVE-2021-35937
• CVE-2021-35938
• CVE-2021-35939
• CVE-2021-43618
• CVE-2023-7104
• CVE-2023-26159
• CVE-2023-29491
• CVE-2023-29499
• CVE-2023-32611
• CVE-2023-32665
• CVE-2023-36054
• CVE-2023-38545
• CVE-2023-38546
• CVE-2023-39615
• CVE-2023-39975
• CVE-2023-44487

References

• https://access.redhat.com/security/updates/classification/#moderate