RHSA-2024:8014 - Security Advisory

Topic

Network Observability 1.7 for Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

Network Observability 1.7.0

Security Fix(es):

• Network Observability: Code Execution Vulnerability in Send Library (CVE-2024-43799)
• Network Observability: XSS vulnerability via prototype pollution (CVE-2024-45801)
• Network Observability: axios: Server-Side Request Forgery (CVE-2024-39338)
• Network Observability: Denial of Service Vulnerability in body-parser (CVE-2024-45590)
• Network Observability: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule (CVE-2024-43788)
• Network Observability: Backtracking regular expressions cause ReDoS (CVE-2024-45296)
• Network Observability: Improper Input Handling in Express Redirects (CVE-2024-43796)
• Network Observability: Improper Sanitization in serve-static (CVE-2024-43800)
• Network Observability: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)
• Network Observability: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)
• Network Observability: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Network Observability (NETOBSERV) 1 for RHEL 9 x86_64
• Network Observability (NETOBSERV) for ARM 64 1 for RHEL 9 aarch64
• Network Observability (NETOBSERV) for IBM Power, little endian 1 for RHEL 9 ppc64le
• Network Observability (NETOBSERV) for IBM Z and LinuxONE 1 for RHEL 9 s390x

Fixes

• BZ - 2308193 - CVE-2024-43788 webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule
• BZ - 2310527 - CVE-2024-34155 go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion
• BZ - 2310528 - CVE-2024-34156 encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion
• BZ - 2310529 - CVE-2024-34158 go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion
• BZ - 2310908 - CVE-2024-45296 path-to-regexp: Backtracking regular expressions cause ReDoS
• BZ - 2311152 - CVE-2024-43796 express: Improper Input Handling in Express Redirects
• BZ - 2311153 - CVE-2024-43799 send: Code Execution Vulnerability in Send Library
• BZ - 2311154 - CVE-2024-43800 serve-static: Improper Sanitization in serve-static
• BZ - 2311171 - CVE-2024-45590 body-parser: Denial of Service Vulnerability in body-parser
• BZ - 2312631 - CVE-2024-45801 dompurify: XSS vulnerability via prototype pollution
• NETOBSERV-1884 - DNS Changes for TRT Team
• NETOBSERV-1509 - OpenTelemetry logs exporter in netobserv
• NETOBSERV-163 - Network Observability for Developer
• NETOBSERV-1666 - FIPS compliance & disconnected support
• NETOBSERV-1667 - Supporting non-SRIOV secondary interfaces (for Virtualization case)
• NETOBSERV-1753 - TCP flags filtering capabilities
• NETOBSERV-1377 - Deploy network policy
• NETOBSERV-1538 - Get "Unable to get overview" momentarily after installing NetObserv
• NETOBSERV-1540 - "Manage panels" dialog doesn't filter properly
• NETOBSERV-1564 - [Agent perfs] The accounter shouldn't generate many more flows
• NETOBSERV-1746 - Adapt health dashboard to flows metrics enabled
• NETOBSERV-1748 - Updating a FlowMetric may generate errors in FLP
• NETOBSERV-1766 - Increase loki.WriteBatchSize to 10MB default
• NETOBSERV-1779 - Port configured but not protocol results in no error in eBPF flow filtering
• NETOBSERV-1783 - Improve browser cache validation / cleanup
• NETOBSERV-1788 - Topology doesn't show services
• NETOBSERV-1798 - Multitenant console with Loki: cannot set namespace filters
• NETOBSERV-1805 - netobserv 1.6.1 is creating vast number of threads on OCP 4.14 with errors mentioning tcx binary is not available.
• NETOBSERV-1806 - ICMP type are showing as n/a for icmp traffic
• NETOBSERV-1808 - When using realtime kernel version the agent pods gets stuck in Crashloopbackoff state
• NETOBSERV-1812 - Disable filter becomes enabled when going back to Network Traffic panel
• NETOBSERV-1813 - Text overlaps in Topology slider
• NETOBSERV-1816 - It is not possible to filter on "n/a" latency
• NETOBSERV-1819 - Black popup when hovering over "One way"
• NETOBSERV-1848 - Enable egress metric to show more traffic
• NETOBSERV-1733 - Clear filter, but filter comes back in Network Traffic panel
• NETOBSERV-1811 - Labels are removed in netobserv namespace

CVEs

• CVE-2024-34155
• CVE-2024-34156
• CVE-2024-34158
• CVE-2024-39338
• CVE-2024-43788
• CVE-2024-43796
• CVE-2024-43799
• CVE-2024-43800
• CVE-2024-45296
• CVE-2024-45590
• CVE-2024-45801

References

• https://access.redhat.com/security/updates/classification/#important