RHSA-2024:3621 - Security Advisory

Topic

Red Hat OpenShift distributed tracing 3.2.0

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Release of Red Hat OpenShift distributed tracing provides these changes:

Security Fix(es):

• go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2 (CVE-2023-45286)
• golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
• golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)
• golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
• golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)
• golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)
• golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)
• golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Solution

Red Hat OpenShift distributed tracing Release

Affected Products

• Red Hat OpenShift distributed tracing 3 x86_64
• Red Hat OpenShift distributed tracing for Power, little endian 3 ppc64le
• Red Hat OpenShift distributed tracing for IBM Z and LinuxONE 3 s390x
• Red Hat OpenShift distributed tracing for ARM 3 aarch64

Fixes

• BZ - 2252012 - CVE-2023-45286 go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2
• BZ - 2268017 - CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
• BZ - 2268018 - CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
• BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
• BZ - 2268021 - CVE-2024-24784 golang: net/mail: comments in display names are incorrectly handled
• BZ - 2268022 - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
• BZ - 2268046 - CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
• BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
• TRACING-3139 - Jaeger UI only shows service names of traces of the last 15 minutes, traces of other services cannot be queried
• TRACING-3599 - Use OTEL collector to export all metrics from one cluster
• TRACING-3693 - Upgrade collector CR to v1beta1
• TRACING-3725 - Enable hostmetrics receiver in the OpenTelemetry collector
• TRACING-3738 - Add csv.Spec.minKubeVersion to operators
• TRACING-3761 - opentelemetry operator monitoring is not enabled.
• TRACING-3764 - Adapt collector manifest generation APIs to v1alpha2
• TRACING-3801 - Support gateway (auth) in Tempo monolithic
• TRACING-3834 - Operand status field
• TRACING-3836 - Observability for monolithic deployment
• TRACING-3856 - Allow override resources per component in tempo-operator
• TRACING-3884 - Support tolerations and NodeSelector
• TRACING-3919 - Migrate to v1alpha2 in the opAMP
• TRACING-3920 - Migrate to v1alpha2 in target allocator
• TRACING-3921 - Change the reconcile/params to v1alpha2
• TRACING-3935 - Additional validation in webhook
• TRACING-3936 - Support custom service account
• TRACING-3946 - Expose product usage metrics from Tempo to telemeter
• TRACING-3959 - Add metadata to namespace or CSV to enable monitoring for OTEL and Tempo operators
• TRACING-3961 - Add hostmetrics to our disribution
• TRACING-3964 - Add oidcauthextension to the OTel collector
• TRACING-3965 - Add k8sclusterreceiver to the OTel collector
• TRACING-3966 - Add k8seventsreceiver to the OTel collector
• TRACING-3967 - Add k8sobjectsreceiver to the OTel collector
• TRACING-3968 - Add the load balancer exporter to the OpenTelemetry collector
• TRACING-3969 - Add kubeletstats receiver to the OpenTelemetry collector
• TRACING-3970 - Cummulative delta processor support in OTel collector
• TRACING-3971 - Enable forward connector in the OTel collector
• TRACING-3972 - Enable journald receiver in OTel collector
• TRACING-3973 - Enable filelog receiver in the OpenTelemetry collector
• TRACING-3974 - Enable file storage extension in the OpenTelemetry collector
• TRACING-3981 - Add k8seventreceiver to RH collector distribution and docs
• TRACING-4007 - NodeJS pod CrashLoop when injecting OTEL autoinstrumentation
• TRACING-4009 - Tempo OOM with query-frontend
• TRACING-4061 - Add journald component to RHOSDT collector and run it on OpenShift
• TRACING-4065 - Add forward connector component to RHOSDT collector and run it on OpenShift
• TRACING-4068 - Add kubeletstats receiver component to RHOSDT collector and run it on OpenShift
• TRACING-4072 - Add oidcauthextension component to RHOSDT collector and run it on OpenShift
• TRACING-4078 - Add k8sclusterreciever component to RHOSDT collector and run it on OpenShift
• TRACING-4087 - Jaeger UI is blank if multitenancy is enabled but user has no permissions
• TRACING-4127 - Add lokipush exporter to RH collector

CVEs

• CVE-2021-43618
• CVE-2023-6004
• CVE-2023-6918
• CVE-2023-7008
• CVE-2023-45286
• CVE-2023-45288
• CVE-2023-45289
• CVE-2023-45290
• CVE-2024-22365
• CVE-2024-24783
• CVE-2024-24784
• CVE-2024-24785
• CVE-2024-24786
• CVE-2024-26458
• CVE-2024-26461
• CVE-2024-28834
• CVE-2024-33599
• CVE-2024-33600
• CVE-2024-33601
• CVE-2024-33602

References

• https://access.redhat.com/security/updates/classification/#important