- Issued:
- 2024-06-17
- Updated:
- 2024-06-17
RHSA-2024:3868 - Security Advisory
Synopsis
Important: Network Observability 1.6.0 for OpenShift
Type/Severity
Security Advisory: Important
Topic
Network Observability 1.6 for Red Hat OpenShift
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Network Observability 1.6.0
Security Fix(es):
- CVE-2024-29180 webpack-dev-middleware: lack of URL validation may lead to file leak
- CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
- CVE-2023-42282 nodejs-ip: arbitrary code execution via the isPublic() function
- CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
- CVE-2024-28849 follow-redirects: Possible credential leak
- CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
- CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
- CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
- CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
- CVE-2024-29041 express: cause malformed URLs to be evaluated [noo-1]
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Solution
For details on how to apply this update, refer to:
Affected Products
- Network Observability (NETOBSERV) 1 for RHEL 9 x86_64
- Network Observability (NETOBSERV) for ARM 64 1 for RHEL 9 aarch64
- Network Observability (NETOBSERV) for IBM Power, little endian 1 for RHEL 9 ppc64le
- Network Observability (NETOBSERV) for IBM Z and LinuxONE 1 for RHEL 9 s390x
Fixes
- BZ - 2253330 - CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
- BZ - 2265161 - CVE-2023-42282 nodejs-ip: arbitrary code execution via the isPublic() function
- BZ - 2268017 - CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
- BZ - 2268018 - CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
- BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
- BZ - 2268022 - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
- BZ - 2268046 - CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
- BZ - 2269576 - CVE-2024-28849 follow-redirects: Possible credential leak
- BZ - 2270863 - CVE-2024-29180 webpack-dev-middleware: lack of URL validation may lead to file leak
- BZ - 2290901 - CVE-2024-29041 express: cause malformed URLs to be evaluated
- NETOBSERV-1544 - Dead link in Network Observability Operator page
- NETOBSERV-1607 - metrics API has invalid link to json flows format page
- NETOBSERV-1647 - Reconcile errors for lokistack-gateway-ca-bundle when loki.enable=false and loki.mode=LokiStack
- NETOBSERV-1279 - Netobserv CLI
- NETOBSERV-1408 - use TCX ebpf hook instead of TC and remove dependency on netlink and qdisc
- NETOBSERV-1424 - Custom metrics API GA
- NETOBSERV-1453 - Improve eBPF agent performance 1.6
- NETOBSERV-1459 - Deduper merge mode enablement
- NETOBSERV-1462 - New metrics datasource for console plugin
- NETOBSERV-1598 - Deployment & Collection filtering capabilities
- NETOBSERV-1606 - Add Pods toleration support
- NETOBSERV-1630 - Can't create a filtering rule with a NOT, i.e., NOT <CIDR>
- NETOBSERV-1621 - When user is not admin overview and table view page doesn't show error message
CVEs
- CVE-2022-48554
- CVE-2023-2975
- CVE-2023-3446
- CVE-2023-3817
- CVE-2023-5678
- CVE-2023-6129
- CVE-2023-6237
- CVE-2023-7008
- CVE-2023-39326
- CVE-2023-42282
- CVE-2023-45289
- CVE-2023-45290
- CVE-2024-0727
- CVE-2024-2961
- CVE-2024-24783
- CVE-2024-24785
- CVE-2024-24786
- CVE-2024-25062
- CVE-2024-28182
- CVE-2024-28834
- CVE-2024-28835
- CVE-2024-28849
- CVE-2024-29041
- CVE-2024-29180
- CVE-2024-33599
- CVE-2024-33600
- CVE-2024-33601
- CVE-2024-33602
aarch64
| network-observability/network-observability-cli-rhel9@sha256:2791f24b0410092f1f87ff0cc37b0b17f149b20446d755995c4fc5fb2f937f15 |
| network-observability/network-observability-console-plugin-rhel9@sha256:3f651994af1446e77a82b9d09786312c15d81b167766989889d3e13d365ea483 |
| network-observability/network-observability-ebpf-agent-rhel9@sha256:f8e75d101cee6a6f28a43daeb9f72a32e81968228ca424c7ee9cd68c31d7c40d |
| network-observability/network-observability-flowlogs-pipeline-rhel9@sha256:09c7ec9405783b3a70876a17e5c498c508ee93dc44c2a2de3ec4daabba4995ea |
| network-observability/network-observability-operator-bundle@sha256:e8f0fb2d6325764bff266705e8320a3b7a6d23370b4710b46231d4e675ccfe7b |
| network-observability/network-observability-rhel9-operator@sha256:63ac578a124ee0d2b728e95290b0b9f67b714e3663e90eb7a99fd5ca29c47008 |
ppc64le
| network-observability/network-observability-cli-rhel9@sha256:b4859faa6fb6d2a2e28100004d3daca28c7be7501aaffa92113093083de32728 |
| network-observability/network-observability-console-plugin-rhel9@sha256:1ced6f1518fc53dfd52df9e2e823b120713eb0c894c55a5cc8925e781e2cf6cc |
| network-observability/network-observability-ebpf-agent-rhel9@sha256:917b0c08532d6014acfa9b21fdb8db5d4980353151527ad0af6ec196884233bf |
| network-observability/network-observability-flowlogs-pipeline-rhel9@sha256:9ddb62d832e7882c6279a5708a53f5d04c5b0736ee06159dfb82d7d1b7622b59 |
| network-observability/network-observability-operator-bundle@sha256:1eab84f961377b696cf46a8cddde4822949f78bedaea798140d79e59e7b646f9 |
| network-observability/network-observability-rhel9-operator@sha256:a38349c1375821d057f63f4f7f5f4ff454e0a7d32a5dd3889d0fc7f1dd2b1f41 |
s390x
| network-observability/network-observability-cli-rhel9@sha256:b6588b788130d3a04d02778684aff2ce895e329115929416d9c006e2b1a86982 |
| network-observability/network-observability-console-plugin-rhel9@sha256:dc8d6de0a66d862bdadcfe32ead8c5f70466d40877d58fdb3de05aa703660d65 |
| network-observability/network-observability-ebpf-agent-rhel9@sha256:946b8f7d232509a056c8cddb800f4c8101dca3bbc4287f86369432ed76062b5b |
| network-observability/network-observability-flowlogs-pipeline-rhel9@sha256:73cc801e1b025728d6a08840af59b5d156cb0d6c75104f4a4a896b37cb28373b |
| network-observability/network-observability-operator-bundle@sha256:d935dbd477a42f9c7f48a7fd23a6390ec7cdc536a58c75782ef2bf771ff5e688 |
| network-observability/network-observability-rhel9-operator@sha256:21c63e737590cb3f976549b46b8f5f20e305c3ea0621549aa6d727e0df3c7726 |
x86_64
| network-observability/network-observability-cli-rhel9@sha256:798960bd10c9b7f5b688b605e50e01087361eafcc0c844394fc7762f3ca88443 |
| network-observability/network-observability-console-plugin-rhel9@sha256:42a46f4b81016b1f9ad0532dc0e79286feaf6c1a764ee227d4b77b1607b90f91 |
| network-observability/network-observability-ebpf-agent-rhel9@sha256:d67320b31e2a18b6d375ced73ec075e9057bf2273246f8fe0e82172a44c1d0f7 |
| network-observability/network-observability-flowlogs-pipeline-rhel9@sha256:2405a8a51271fb13c5a716824540b4ae5e0cdf9af62ae7257f9686ae31c853f1 |
| network-observability/network-observability-operator-bundle@sha256:30868483bc25d1a7c280f05ef84659e390b568422b205fffe12c3e15d8272c92 |
| network-observability/network-observability-rhel9-operator@sha256:42b904be06a7a546ee0edbfbb3bfa5007734db1ab4dddb599ba92c334e0f2c43 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
