RHSA-2024:2932 - Security Advisory

Topic

An update is now available for RHOL-5.8-RHEL-9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

TODO: add package description

Security Fix(es):

• golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

For Red Hat OpenShift Logging 5.8, see the following instructions to apply this update:

https://docs.openshift.com/container-platform/4.13/logging/cluster-logging-upgrading.html

Affected Products

• Logging Subsystem for Red Hat OpenShift for ARM 64 5 for RHEL 9 aarch64
• Logging Subsystem for Red Hat OpenShift 5 for RHEL 9 x86_64
• Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 for RHEL 9 ppc64le
• Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 for RHEL 9 s390x

Fixes

• BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
• LOG-4949 - Cronjob elasticsearch-im-<type> fails every time when <type> logs are not captured
• LOG-5467 - [release-5.8] Got 'invalid configuration: provided not secure URL along with TLS configuration' when forwarding to cloudwatch and specifying `tls.securityProfile` in the output.
• LOG-5471 - [release-5.8] Cluster Logging Operator is producing stale telemetry metrics
• LOG-5514 - Logging operator logic delete the daemonset collector not being able to recreate

CVEs

• CVE-2020-26555
• CVE-2021-29390
• CVE-2022-0480
• CVE-2022-38096
• CVE-2022-40090
• CVE-2022-45934
• CVE-2022-48554
• CVE-2022-48624
• CVE-2023-2975
• CVE-2023-3446
• CVE-2023-3567
• CVE-2023-3618
• CVE-2023-3817
• CVE-2023-4133
• CVE-2023-5678
• CVE-2023-6040
• CVE-2023-6121
• CVE-2023-6129
• CVE-2023-6176
• CVE-2023-6228
• CVE-2023-6237
• CVE-2023-6531
• CVE-2023-6546
• CVE-2023-6622
• CVE-2023-6915
• CVE-2023-6931
• CVE-2023-6932
• CVE-2023-7008
• CVE-2023-24023
• CVE-2023-25193
• CVE-2023-25775
• CVE-2023-28464
• CVE-2023-28866
• CVE-2023-31083
• CVE-2023-31122
• CVE-2023-37453
• CVE-2023-38469
• CVE-2023-38470
• CVE-2023-38471
• CVE-2023-38472
• CVE-2023-38473
• CVE-2023-39189
• CVE-2023-39193
• CVE-2023-39194
• CVE-2023-39198
• CVE-2023-40745
• CVE-2023-41175
• CVE-2023-42754
• CVE-2023-42756
• CVE-2023-43785
• CVE-2023-43786
• CVE-2023-43787
• CVE-2023-43788
• CVE-2023-43789
• CVE-2023-45288
• CVE-2023-45863
• CVE-2023-46862
• CVE-2023-47038
• CVE-2023-51043
• CVE-2023-51779
• CVE-2023-51780
• CVE-2023-52434
• CVE-2023-52448
• CVE-2023-52476
• CVE-2023-52489
• CVE-2023-52522
• CVE-2023-52529
• CVE-2023-52574
• CVE-2023-52578
• CVE-2023-52580
• CVE-2023-52581
• CVE-2023-52597
• CVE-2023-52610
• CVE-2023-52620
• CVE-2024-0565
• CVE-2024-0727
• CVE-2024-0841
• CVE-2024-1085
• CVE-2024-1086
• CVE-2024-21011
• CVE-2024-21012
• CVE-2024-21068
• CVE-2024-21085
• CVE-2024-21094
• CVE-2024-22365
• CVE-2024-25062
• CVE-2024-26582
• CVE-2024-26583
• CVE-2024-26584
• CVE-2024-26585
• CVE-2024-26586
• CVE-2024-26593
• CVE-2024-26602
• CVE-2024-26609
• CVE-2024-26633
• CVE-2024-27316
• CVE-2024-28834
• CVE-2024-28835

References

• https://access.redhat.com/security/updates/classification/#important