- Issued:
- 2024-06-05
- Updated:
- 2024-06-05
RHSA-2024:3621 - Security Advisory
Synopsis
Important: Red Hat OpenShift distributed tracing 3.2.0 operator/operand containers update
Type/Severity
Security Advisory: Important
Topic
Red Hat OpenShift distributed tracing 3.2.0
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Release of Red Hat OpenShift distributed tracing provides these changes:
Security Fix(es):
- go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2 (CVE-2023-45286)
- golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
- golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)
- golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
- golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)
- golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)
- golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)
- golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Solution
Red Hat OpenShift distributed tracing Release
Affected Products
- Red Hat OpenShift distributed tracing 3 x86_64
- Red Hat OpenShift distributed tracing for Power, little endian 3 ppc64le
- Red Hat OpenShift distributed tracing for IBM Z and LinuxONE 3 s390x
- Red Hat OpenShift distributed tracing for ARM 3 aarch64
Fixes
- BZ - 2252012 - CVE-2023-45286 go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2
- BZ - 2268017 - CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
- BZ - 2268018 - CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
- BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
- BZ - 2268021 - CVE-2024-24784 golang: net/mail: comments in display names are incorrectly handled
- BZ - 2268022 - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
- BZ - 2268046 - CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
- BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
- TRACING-3139 - Jaeger UI only shows service names of traces of the last 15 minutes, traces of other services cannot be queried
- TRACING-3599 - Use OTEL collector to export all metrics from one cluster
- TRACING-3693 - Upgrade collector CR to v1beta1
- TRACING-3725 - Enable hostmetrics receiver in the OpenTelemetry collector
- TRACING-3738 - Add csv.Spec.minKubeVersion to operators
- TRACING-3761 - opentelemetry operator monitoring is not enabled.
- TRACING-3764 - Adapt collector manifest generation APIs to v1alpha2
- TRACING-3801 - Support gateway (auth) in Tempo monolithic
- TRACING-3834 - Operand status field
- TRACING-3836 - Observability for monolithic deployment
- TRACING-3856 - Allow override resources per component in tempo-operator
- TRACING-3884 - Support tolerations and NodeSelector
- TRACING-3919 - Migrate to v1alpha2 in the opAMP
- TRACING-3920 - Migrate to v1alpha2 in target allocator
- TRACING-3921 - Change the reconcile/params to v1alpha2
- TRACING-3935 - Additional validation in webhook
- TRACING-3936 - Support custom service account
- TRACING-3946 - Expose product usage metrics from Tempo to telemeter
- TRACING-3959 - Add metadata to namespace or CSV to enable monitoring for OTEL and Tempo operators
- TRACING-3961 - Add hostmetrics to our disribution
- TRACING-3964 - Add oidcauthextension to the OTel collector
- TRACING-3965 - Add k8sclusterreceiver to the OTel collector
- TRACING-3966 - Add k8seventsreceiver to the OTel collector
- TRACING-3967 - Add k8sobjectsreceiver to the OTel collector
- TRACING-3968 - Add the load balancer exporter to the OpenTelemetry collector
- TRACING-3969 - Add kubeletstats receiver to the OpenTelemetry collector
- TRACING-3970 - Cummulative delta processor support in OTel collector
- TRACING-3971 - Enable forward connector in the OTel collector
- TRACING-3972 - Enable journald receiver in OTel collector
- TRACING-3973 - Enable filelog receiver in the OpenTelemetry collector
- TRACING-3974 - Enable file storage extension in the OpenTelemetry collector
- TRACING-3981 - Add k8seventreceiver to RH collector distribution and docs
- TRACING-4007 - NodeJS pod CrashLoop when injecting OTEL autoinstrumentation
- TRACING-4009 - Tempo OOM with query-frontend
- TRACING-4061 - Add journald component to RHOSDT collector and run it on OpenShift
- TRACING-4065 - Add forward connector component to RHOSDT collector and run it on OpenShift
- TRACING-4068 - Add kubeletstats receiver component to RHOSDT collector and run it on OpenShift
- TRACING-4072 - Add oidcauthextension component to RHOSDT collector and run it on OpenShift
- TRACING-4078 - Add k8sclusterreciever component to RHOSDT collector and run it on OpenShift
- TRACING-4087 - Jaeger UI is blank if multitenancy is enabled but user has no permissions
- TRACING-4127 - Add lokipush exporter to RH collector
CVEs
aarch64
rhosdt/jaeger-agent-rhel8@sha256:27792a6b4e0aa3a1620e1ec98e2060fae5de6c239e60d5dc6e124662080ce7d9 |
rhosdt/jaeger-all-in-one-rhel8@sha256:bc9558144a4364e99a434675aba9abe9c8a21b3cae3fce211f41b48ac77e5c9c |
rhosdt/jaeger-collector-rhel8@sha256:ece5d3c01ed8ef464ca65cfd9e831eeec4d6f31bd3cc4091360aea7d319e639f |
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:eec0d1b9744193f951a5953a9ec4c15979b1a8fee5ed9b37f65d4f0ff115fb73 |
rhosdt/jaeger-es-rollover-rhel8@sha256:2463ea0e593a8efde7dc084ac6c600605542fcda7132355486120bceb410a6e2 |
rhosdt/jaeger-ingester-rhel8@sha256:20ef07b52fd87c442138fdd52d39162deb10d8bb32766a1c837c9380ed1ddefe |
rhosdt/jaeger-operator-bundle@sha256:e8a90eae01013ce7573d132d48bb3590b762b7d8a11740342d0762852ddb6c35 |
rhosdt/jaeger-query-rhel8@sha256:1fe9ba6c2f4b11a0cd15613465f511ea442f4f62955fd54859d1dceddc211e9e |
rhosdt/jaeger-rhel8-operator@sha256:2b232100f137812445c19195ea21b783288ea0f23e95a7bd5008be41476d6337 |
rhosdt/opentelemetry-collector-rhel8@sha256:368bd918212faf7028c3846288a7363d5d029cd3a4fe8114afb83735df3ed32a |
rhosdt/opentelemetry-operator-bundle@sha256:a774ad73186756aa2660c58eb0a1b3910ead47ac8b645ced581a7e6158f8f7ef |
rhosdt/opentelemetry-rhel8-operator@sha256:e4f793dedca25ea1088bced096867f3a6bd62993ea5e345cb07124970a5b56a5 |
rhosdt/opentelemetry-target-allocator-rhel8@sha256:325af1869893f9f2972b25d73aca79f3bf36da75b880420856602e7d088663cd |
rhosdt/tempo-gateway-opa-rhel8@sha256:e7747bb7cb3d172d1016cbb38a8de9a849112267b36b0350d3b1ad4a603f5fd1 |
rhosdt/tempo-gateway-rhel8@sha256:5a82cb946a46010543ae60fc687badd8c4e526600f8a5268717f1094ecbc3f9d |
rhosdt/tempo-operator-bundle@sha256:6363601e99696d96f81b881116ac15a1c0be08906a2f7719c9d022d1b379daf3 |
rhosdt/tempo-query-rhel8@sha256:727bd8daf604ed227bd9aa2eca975c2ac919622f78f0bfd021fd80da77aac276 |
rhosdt/tempo-rhel8@sha256:00c803fa54e7aa08f58d6dfa475359d6ba15737ec24ea7a81558bf5c01084e8e |
rhosdt/tempo-rhel8-operator@sha256:7c326607144719ff6777132f8a171cd37bf6952cc0ed71590d02a9468ecf7fc1 |
ppc64le
rhosdt/jaeger-agent-rhel8@sha256:d8a55508e2b685367d9452565a6a8f9ab9970d2b48184961bdb09bf7cc693873 |
rhosdt/jaeger-all-in-one-rhel8@sha256:5c21a151c7c26f2034faa1e389a0e826385f87962af02a842c547c71ffc98717 |
rhosdt/jaeger-collector-rhel8@sha256:07f636db696baff7866fb4940d63e83cc0677406ce1c16eafb1bca103d6b79f3 |
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:50eda5a5ac77cbe807f37044a9de9679d724508388abffed13ffef79b62e8d81 |
rhosdt/jaeger-es-rollover-rhel8@sha256:ed10dd0093277b3daeab8213e3d318953aabcd3dd9bc17f0e5e8116f8f51b1e2 |
rhosdt/jaeger-ingester-rhel8@sha256:8f094de652472f0cabbf955e7aedf53b223d1976e4bb59d6decb2742b6ca3ec5 |
rhosdt/jaeger-operator-bundle@sha256:a34a6d931dd7197210c7406a24c182ddf4a0c6fb2c078224ac2cbb627204078f |
rhosdt/jaeger-query-rhel8@sha256:bb4e2a5694e1864998f26dfdb87507be2ac0030b095f1b7f8cf65ee550e936cd |
rhosdt/jaeger-rhel8-operator@sha256:a2efafae008d1904624f7c0852639e312796979e940c70693feee56198690668 |
rhosdt/opentelemetry-collector-rhel8@sha256:60b43ac5df04a4a91917c15014c035f6a684bb2f484838fbccf4fb4faa46b384 |
rhosdt/opentelemetry-operator-bundle@sha256:d4635599d6fe39706334c7cc1409430adbcbe2729b1fa77879894c5e9bb8bc3c |
rhosdt/opentelemetry-rhel8-operator@sha256:ae9fcaf972c9508c8af2b1f2c6f0f50d153a05016aa7a741cd08b064aba57846 |
rhosdt/opentelemetry-target-allocator-rhel8@sha256:2752e6ef2e9ab085ce7b0d132adb40cb4c6f92c85d5e9fe1fe08558dbaea42ba |
rhosdt/tempo-gateway-opa-rhel8@sha256:c7c49ef6de3623428e47e1dc7c04b22efe17c73e7e988e3b82fa3517116cf8f3 |
rhosdt/tempo-gateway-rhel8@sha256:d1de2fa5972f7ee5932c413c78bc11a23e3136f82bbcbf3e731c003155af88d8 |
rhosdt/tempo-operator-bundle@sha256:449e58da948a2a1e8a4908c37267122ce4b9696ad6299523c480f6e9987a8042 |
rhosdt/tempo-query-rhel8@sha256:ffc931e655e4df7188fbff3887bedf91a6dc23c71753453d8093c6eb1af1cd98 |
rhosdt/tempo-rhel8@sha256:655e29477d0b278a9f1b782f272dddefc133d12887860635d94b135c6bff4f10 |
rhosdt/tempo-rhel8-operator@sha256:03ae5a76933914cfd5e2ae2c8da1d7f886b57cc9e0a954059323697f5abeb4a1 |
s390x
rhosdt/jaeger-agent-rhel8@sha256:c23914b0cc1670fee56143e59cce8d381c38ab8c2a215371eccb2c7e55049884 |
rhosdt/jaeger-all-in-one-rhel8@sha256:f78cbbb9e49f3d97bbcb7401ef11f6dcdefaca998f99a5316f2a875c13bd961e |
rhosdt/jaeger-collector-rhel8@sha256:de513774bafbe13f28269ef398c0fcbce17ef06dcd9e1190f592dd5aab727f41 |
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:ca1211cf71262694bb32930e2bc290ec25bf7ee4abe705dccd93c84c01da7eca |
rhosdt/jaeger-es-rollover-rhel8@sha256:9029cfb58fd669dd4fd701c8854310d36db4109ace6ba85b4e3193447bb2e502 |
rhosdt/jaeger-ingester-rhel8@sha256:827fb6fc29ad955af6f14f79956d0f3bec745f8c13518a1f140f7408558d12fe |
rhosdt/jaeger-operator-bundle@sha256:760dfab4b65dce1a6a031ee394bc82b1f2701e6bb4b613ca2eeb82046717eeee |
rhosdt/jaeger-query-rhel8@sha256:a2d5393a22f5d78424cfc126c56b8140987eb148ee795b869f73c74d5c1932df |
rhosdt/jaeger-rhel8-operator@sha256:b46fe6592710f591fd9202953a8c56abbc565852b0ebb10f2130fe7b6e8ce1d0 |
rhosdt/opentelemetry-collector-rhel8@sha256:76463e2a6f568fa185624b6d06a103f93cba166676788e8bb21d5172a86dae2e |
rhosdt/opentelemetry-operator-bundle@sha256:9df026b6442362eec9acd554454d28f8908070bfae7282c6562ef7eaf2f9e90c |
rhosdt/opentelemetry-rhel8-operator@sha256:120cf7965f52583f9bb5c3781974842b5efb1dbb82083bd9327c85fd13ea3557 |
rhosdt/opentelemetry-target-allocator-rhel8@sha256:9ba19a1174f54736c0c4c8ef037516e94328a624c7c8e4ba0b40c3f348205eb6 |
rhosdt/tempo-gateway-opa-rhel8@sha256:53bf6446ffd5132da567a03bc6fa14c17a77815082f83af4a39649529e788f51 |
rhosdt/tempo-gateway-rhel8@sha256:3bf498bb1cac2fc6267c52cac0131919598b9ea4797b697ace569191657ddce8 |
rhosdt/tempo-operator-bundle@sha256:9369d07611c5ef34db98fbf2f1b941fea1543f1714f32cb236b3e5bd67fd874b |
rhosdt/tempo-query-rhel8@sha256:22aa7922788f6a703b51b56558b54369f45d904b3978bb6471c142a2cdabb190 |
rhosdt/tempo-rhel8@sha256:7718afadf1b976b81dfdac45d75875bb90dec50768e08f8f7927ae351298170f |
rhosdt/tempo-rhel8-operator@sha256:90907b84124887f2960e76f83bccce99155a055fb981c8665cc77d1e0db25f4b |
x86_64
rhosdt/jaeger-agent-rhel8@sha256:ae9746e42b1522e4cbae8060db136340543790e452c5872da35c29f57706901d |
rhosdt/jaeger-all-in-one-rhel8@sha256:1d0b55cbbaa33b53753259bbaedd57de3855ffc1e7db34f29b2d63df1b61a49a |
rhosdt/jaeger-collector-rhel8@sha256:205ab4f1c0af638ed46ade4150710c46d53d53033e70dbbdbc59f1e5049809e8 |
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:c6363e9d1b807e1ad598ee6541c11090db20cc3fbee08e8532348218de6eaf88 |
rhosdt/jaeger-es-rollover-rhel8@sha256:1091e265a40b4569dd480923286e137e251fae6ecac7428a085274a53f9b6db5 |
rhosdt/jaeger-ingester-rhel8@sha256:ffb39ba0786e2713b0ad90772178997815a202cf620ceb667065642df823e2cd |
rhosdt/jaeger-operator-bundle@sha256:e6bdfda1fc7a64452e02a22225849deae558c0a965880ff17d999532453e5254 |
rhosdt/jaeger-query-rhel8@sha256:3a941aad751883b698f572946f2c178894c045967f5d262dcff0f6ca1e514e02 |
rhosdt/jaeger-rhel8-operator@sha256:9e486e93aff524044e86fb8be786cb7f10ff9aa2e3f8d7139882054d9b124b74 |
rhosdt/opentelemetry-collector-rhel8@sha256:b5b3453bf195cc5815eaf1383ad6e924260c36090661e1415313b72bdcd7ad08 |
rhosdt/opentelemetry-operator-bundle@sha256:bfc2ac2670869a21f5caf7861f8d06b6080dd2f0b3ee6e544aaa36ed8eba70f6 |
rhosdt/opentelemetry-rhel8-operator@sha256:3a988bde87ea7e8e219ea91e6de9e7f3d8fa2056c83adfec09703d4f58519333 |
rhosdt/opentelemetry-target-allocator-rhel8@sha256:1a64e871543aab22d6b923aede1228f789accb39bb7e522ae68c3dc49856ccf2 |
rhosdt/tempo-gateway-opa-rhel8@sha256:c7762b7fbf871260b782de24b118ee91f2f7f23fa740b6764f478c2dad4dc18f |
rhosdt/tempo-gateway-rhel8@sha256:1c48235a37632868996a586de3af951a0c431f330530d69e18919218aa3e6232 |
rhosdt/tempo-operator-bundle@sha256:b983271f0f7c78154bb832360c6713f58f038831a4eae3fc2d909cca44e7cf66 |
rhosdt/tempo-query-rhel8@sha256:8dfad5ab487fa64eff9f1df4ef3200598c36f0e2237b84690f4dc2b73d1f33b6 |
rhosdt/tempo-rhel8@sha256:a4e7a0a2d6dade9d883b6d080563736076befe6faa77da65f6ae77882af88c26 |
rhosdt/tempo-rhel8-operator@sha256:98ea46342862aa212b834cbc520686ab09490a99a51a692a78f675b2e1528ea2 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.