Red Hat Product Errata RHSA-2024:8040 - Security Advisory
Issued:
2024-10-14
Updated:
2024-10-14

RHSA-2024:8040 - Security Advisory

Synopsis

Moderate: Cluster Observability Operator 0.4.1

Type/Severity

Security Advisory: Moderate

Topic

The Cluster Observability Operator is a Kubernetes operator which enables the management of Monitoring/Alerting stacks through Kubernetes CRDs.

Description

Cluster Observability Operator

Security Fix(es):

  • coo-prometheus-container: go-retryablehttp: url might write sensitive information to log file [coo-0] (CVE-2024-6104)
  • coo-thanos-container: golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON [coo-0] (CVE-2024-24786)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Cluster Observability Operator 1 x86_64

Fixes

  • BZ - 2268046 - CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
  • BZ - 2294000 - CVE-2024-6104 go-retryablehttp: url might write sensitive information to log file
  • COO-152 - consoles.operator.openshift.io still contains console-dashboards-plugin after delete the plugin
  • COO-220 - Prometheus WebTLS
  • COO-221 - Alertmanager WebTLS
  • COO-353 - The OpenShift console doesn't display the correct logo for COO
  • COO-354 - Support link isn't an hyperlink.
  • COO-356 - CSV refers to https://rhobs-handbook.netlify.app/products/observability-operator
  • COO-401 - Update midstream to Thanos v0.36.1
  • COO-402 - Update midstream prometheus operator to v0.77.1
  • COO-403 - Update midstream prometheus to v2.54.1
  • COO-404 - Update midstream Logging Plugin 0.6
  • COO-451 - UIPlugin setup fails in Openshift 4.16

aarch64

cluster-observability-operator/cluster-observability-rhel8-operator@sha256:bbb6660cf46efbb1faf486a70cd75eea98bb5934a35b2f8822649adde33b7d69
cluster-observability-operator/coo-admission-webhook-rhel8@sha256:4a0d2596c312c09a12f3fbb1dfa7a843e9a7350c902d336f1104fdd0dd5c0eeb
cluster-observability-operator/coo-console-dashboards-plugin-rhel8@sha256:d12ea94ee73beaad6f5036fae695a4be9ca122a727243c3af2a94b1ecd69ecd4
cluster-observability-operator/coo-console-distributed-tracing-plugin-rhel8@sha256:7a8db48bc6a04e1d6aba1184851c302cab6ed41bf15c90119e208d6f2ca2d8e3
cluster-observability-operator/coo-console-logging-plugin-rhel8@sha256:a4ec681f211941feacdd420b84fba981b5847599322c908037e1f5af1cc11c8a
cluster-observability-operator/coo-console-troubleshooting-panel-plugin-rhel8@sha256:d2507336d518bf15acc691fb5439474084fc0310e12893856f11320f84be89e0
cluster-observability-operator/coo-korrel8r-rhel8@sha256:eb863dc1d7dff7896ab047120621baa2f2d16fd6561da175a2c635e23b4d4a20
cluster-observability-operator/coo-prometheus-alertmanager-rhel8@sha256:d2acbae1d5aa7ed2653ac8eeb9a0e9993b6fa57813d64eaedf05490150c640f4
cluster-observability-operator/coo-prometheus-config-reloader-rhel8@sha256:7719caef629c6af767f2698570439c96c4ea5f4522de55cb6ecec5bb89691898
cluster-observability-operator/coo-prometheus-rhel8@sha256:01a13fbcec0f495aef674ab4e40310bc1dd064e312bf24082293248de2541a62
cluster-observability-operator/coo-prometheus-rhel8-operator@sha256:06d60017a07b1a62e5f20fa4fc9cc9825a9ca5105b629bd28d246409ca3642c2
cluster-observability-operator/coo-thanos-rhel8@sha256:804536e0d0537721c4d5e3327b81054d57d43aa7b1c22ce33c2c6db1ba9b120a

ppc64le

cluster-observability-operator/cluster-observability-rhel8-operator@sha256:079fac56eede66aed6385bce19c57db751e6d355e37726d158794dc05a96b51d
cluster-observability-operator/coo-admission-webhook-rhel8@sha256:96fc05ad7542edffa5286ee9a6d0100a6e288f1ccc20730a7cf068176793ce01
cluster-observability-operator/coo-console-dashboards-plugin-rhel8@sha256:37e7bfe68d61018277f22e54976f4bd4bc73e89dd438ad541f6327e8f5504eb9
cluster-observability-operator/coo-console-distributed-tracing-plugin-rhel8@sha256:56248b53c9940d1abfcc1157b9598fd80b72bca941202e819656c7f4a776de1b
cluster-observability-operator/coo-console-logging-plugin-rhel8@sha256:883129832d08a421d25e4d638d44c51a55fd6a2e93f9b24d3e48fff98a9cccd3
cluster-observability-operator/coo-console-troubleshooting-panel-plugin-rhel8@sha256:2842bafb0365c22bb5fa7dc90227e7bc14a6ecb67fd0b1b557611b8cdc364b43
cluster-observability-operator/coo-korrel8r-rhel8@sha256:62705a9d702bd139c34050dba7a3ea5b031561890c70b8d7ad064a02dc60d938
cluster-observability-operator/coo-prometheus-alertmanager-rhel8@sha256:410baf774fa47573a510a96aa57140a0f6279e54cb25a6fcc0199acfb853f278
cluster-observability-operator/coo-prometheus-config-reloader-rhel8@sha256:56df64ea1121b2042988ebc4d96480d4e401de835c6dc40c079d845139b07261
cluster-observability-operator/coo-prometheus-rhel8@sha256:f3ade0e4d49a54e811dd88e9050761f5e93efc53c7776e1fa80700249326f0ba
cluster-observability-operator/coo-prometheus-rhel8-operator@sha256:9aeaef13a1cd9eee2b21081db72ec2f1ee5c19895bdf5d1398e5fa0d777033c6
cluster-observability-operator/coo-thanos-rhel8@sha256:554aea53cdc36981cb0246ce0f0eea41618ed2ec19c7969475e31290b2652442

s390x

cluster-observability-operator/cluster-observability-rhel8-operator@sha256:7cb23e4df187fa329f142bde4fa2dd807a1ccfd73744aa7948d1ae1be2ae4338
cluster-observability-operator/coo-admission-webhook-rhel8@sha256:1619e486f93ad3dfbecf8aeec903606175b67bd43ac522e6dcd016c9d1a02801
cluster-observability-operator/coo-console-dashboards-plugin-rhel8@sha256:b4eeefb52b8d23ced18e504da71088078a4de96c9920ca4370a37edee3e9bbe7
cluster-observability-operator/coo-console-distributed-tracing-plugin-rhel8@sha256:baa5a9a76782ac5b1c624ea6359a9b45350822aefb7b3eeac5f94c89afc4dff6
cluster-observability-operator/coo-console-logging-plugin-rhel8@sha256:a15e1cea125ac7db2babddf00da5549bae2ab9b7344c22bc016bb1732da1dd33
cluster-observability-operator/coo-console-troubleshooting-panel-plugin-rhel8@sha256:b9a34abce23ecbf58fa210fafa6b38083e8053194f75f3f30f05ec12aa5800ab
cluster-observability-operator/coo-korrel8r-rhel8@sha256:3845b805eb7aeaa2a4a7046f497683ad61954365516cf0a6df5be2d0f1e75e39
cluster-observability-operator/coo-prometheus-alertmanager-rhel8@sha256:6de46dc755ddfaaae9de76e2e297eb3b16109655a6eb16b345d71cb106547d8b
cluster-observability-operator/coo-prometheus-config-reloader-rhel8@sha256:9f060da1bbc2d6c08864ff612d83a1f1269effd44cfe2af833cec5301babe1b9
cluster-observability-operator/coo-prometheus-rhel8@sha256:d6040851830dd5f471d2fcc16433e68090d5483fbcfc18300f6decf9b3b4251e
cluster-observability-operator/coo-prometheus-rhel8-operator@sha256:4b0f5afa90e0438f4bee7bea5f3b05f58c1ce8c99b05cf9b84513972ba77c65d
cluster-observability-operator/coo-thanos-rhel8@sha256:8b198b0edb6cf097ce75ff89e2b5f7f5179a1c236b1093a929f5728039a86b4b

x86_64

cluster-observability-operator/cluster-observability-operator-bundle@sha256:55ce1ea85a4099f326cae033a63e73c66d0a0d68b5f01c694ee7238b3bb8d79c
cluster-observability-operator/cluster-observability-rhel8-operator@sha256:2692dfafdb558734219217c45719bfaa0f6b8eaec34b0cda8735fe457875120f
cluster-observability-operator/coo-admission-webhook-rhel8@sha256:09dd473327634ce06b33f61f5299244f1ec2f2a9b93a8c4c6507e1b90c02101f
cluster-observability-operator/coo-console-dashboards-plugin-rhel8@sha256:ffa63a7b877bcdb025321ce0b3e98ea9c758e3a191e419f1bd83e0992341838a
cluster-observability-operator/coo-console-distributed-tracing-plugin-rhel8@sha256:ad1eb01b8de7284f7092b007badbabf0d9c44c6e5e5593b81d89e3c600c90eff
cluster-observability-operator/coo-console-logging-plugin-rhel8@sha256:55b5d83578683c78ae1c58bd1091e277807c3e7c89919b340dc7be54e9119cd5
cluster-observability-operator/coo-console-troubleshooting-panel-plugin-rhel8@sha256:f36a7ac58d4c54041f33e6897e2cbb49489f5059607973b6f4d47aa4c7b49ec3
cluster-observability-operator/coo-korrel8r-rhel8@sha256:0d8c2ce4d22a8a41e9c6a1a2abfc161271e8b515d19be1920c2bd75bf447f477
cluster-observability-operator/coo-prometheus-alertmanager-rhel8@sha256:89b9ad78b757ba5006889ed8f8478ccf1d474c02ce42f311b5792f05ceda70b4
cluster-observability-operator/coo-prometheus-config-reloader-rhel8@sha256:fd34ca67de1f32300f7e870b6c8def9b511611d0613bad6936ade83e100d7855
cluster-observability-operator/coo-prometheus-rhel8@sha256:5a3973e1531949f5213d0444822f13c838e0d8b4c77988a917da4e928fa721ac
cluster-observability-operator/coo-prometheus-rhel8-operator@sha256:3cd746f52fb0439515e6cb111b22c3f89628a6a2193637a4d73cc82d4c2b1181
cluster-observability-operator/coo-thanos-rhel8@sha256:5a1d21f2631aa2ef3be1ec41c745c32dc0797f3b6b66c95143a9ac5a187bd40b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.