Red Hat Product Errata RHSA-2025:3131 - Security Advisory
Issued:
2025-03-26
Updated:
2025-03-26

RHSA-2025:3131 - Security Advisory

Synopsis

Important: Logging for Red Hat OpenShift - 6.1.4

Type/Severity

Security Advisory: Important

Topic

Logging for Red Hat OpenShift - 6.1.4

Description

Logging for Red Hat OpenShift - 6.1.4
logging-loki-container: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338 )
cluster-logging-operator-container: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336)
lokistack-gateway-container: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336)
opa-openshift-container: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336)
lokistack-gateway-container: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144)

Solution

For OpenShift Container Platform 4.17 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html

For Red Hat OpenShift Logging 6.1, see the following instructions to apply this update:

https://docs.openshift.com/container-platform/4.17/observability/logging/logging-6.1/log6x-upgrading-to-6.html

Affected Products

  • Logging Subsystem for Red Hat OpenShift for ARM 64 6 aarch64
  • Logging Subsystem for Red Hat OpenShift 6 x86_64
  • Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 6 ppc64le
  • Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 6 s390x

Fixes

  • BZ - 2333122 - CVE-2024-45338 golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
  • BZ - 2341751 - CVE-2024-45336 golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect
  • BZ - 2347423 - CVE-2025-27144 go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
  • LOG-6623 - Red Hat Managed Elasticsearch index must follow pattern "app-", "infra-" and "audit-"
  • LOG-6797 - [release-6.1] Loki Operator sets an invalid number of delete workers when using pico size

aarch64

openshift-logging/cluster-logging-rhel9-operator@sha256:8027ebaf481eebf1d9b3d0eee35d0f8390ba0aecbc6e2ee06f88043c46340aa8
openshift-logging/eventrouter-rhel9@sha256:0fffb013cc90701c6ab5d6995e5626f897c6902e3a1c2990db8d15dab0807d88
openshift-logging/log-file-metric-exporter-rhel9@sha256:a4511102e85d0f6bd2197429d782e47a856024082bf819ba51a9f3dd1106c151
openshift-logging/logging-loki-rhel9@sha256:13ad9cfbb796c1a10f3a4cb371e674e6609b7b7d245aca5e5863b508c8f219f6
openshift-logging/loki-rhel9-operator@sha256:8df1c6e06cd17e3015c7530fea2312aeff1a9fc3b1ed5317611961cb661487eb
openshift-logging/lokistack-gateway-rhel9@sha256:83bcc8176e1171bbbcca67f26c31a9c991dc706f7ed44c1618cb82187414054f
openshift-logging/opa-openshift-rhel9@sha256:b49acfeb63ac8dee78ab577b5243a8eb63835f6268384503c1253b53953dc313
openshift-logging/vector-rhel9@sha256:cf81df3a0c88ec07bb3f4ac9bd9c8fb41aaea1ab3e24eb9449aa58b5910d2f3b

ppc64le

openshift-logging/cluster-logging-rhel9-operator@sha256:97252762d4350b97b2bbe65454c52163a925a2c0fc57b2b8bf22ac272cb566cf
openshift-logging/eventrouter-rhel9@sha256:63d9b83da2752c6fa9a4764afca3e98b82265d0157714eb0e8f4d31351d135f5
openshift-logging/log-file-metric-exporter-rhel9@sha256:a9d55d6c654c1fce9b78ba99b7031a11ff8db470113ad0d86e52e0113d117dab
openshift-logging/logging-loki-rhel9@sha256:51b6e56d97ba3744ad9e4a34cd11d44a9e6ac76314225171e4806e42a361c773
openshift-logging/loki-rhel9-operator@sha256:1a0ec1a067b407ba7e48e4aeadb0c9a087e0baa0cb36c23361ac65d16426f10c
openshift-logging/lokistack-gateway-rhel9@sha256:f39bc6a61714802f42aa4c32242d6f0b6ccd416300421bcb5a09d23aba39ee36
openshift-logging/opa-openshift-rhel9@sha256:2f9ef3a999a0a3677293a4673a5f13ee1e52ad8b010c36098a5fd8db2ba3e932
openshift-logging/vector-rhel9@sha256:0e1f8896fe6abb6f8d6961b4a390205e001877e7621c78f305e08c7d97235f5e

s390x

openshift-logging/cluster-logging-rhel9-operator@sha256:fafc296b1270eb068157cccb039599c1159cab5e149b45acf0da57e3a04e7b36
openshift-logging/eventrouter-rhel9@sha256:5aff59a0f93149b6f22f79556ab034ac5d383674d1bc2bb3d15e795e607f6fe4
openshift-logging/log-file-metric-exporter-rhel9@sha256:d2fb75d3c1bfdf061631dffa7113d6410f0fdd9773abd496b91281713489ab45
openshift-logging/logging-loki-rhel9@sha256:70c70a6eca66d45832f976fe062780cdea17a90ccc34e2e7b380767a375ff1e8
openshift-logging/loki-rhel9-operator@sha256:cd655287a3a3dd0540e36df230c0c2cdeabbc8d61a6be64c70bb515da9ff0a3f
openshift-logging/lokistack-gateway-rhel9@sha256:8ce642fc6ba84abec046ec4d37e6ae11b841978148d6548c972f93374ef11bec
openshift-logging/opa-openshift-rhel9@sha256:c19b42a324d049b71a09f3979b8718220166279ae4f135dc339813d15e2082f6
openshift-logging/vector-rhel9@sha256:6230e301464371370926ab703049b57f54fa6a1e551ed3b962670415ea08ebaf

x86_64

openshift-logging/cluster-logging-operator-bundle@sha256:2ac22e0a4469dbd521e501f94aed9d6f6cfd42c380295fccda70845e624cc344
openshift-logging/cluster-logging-rhel9-operator@sha256:083dad5f886c60ea9660d32e0afd171395363b6734530e68ee7b1a59a83c4c0f
openshift-logging/eventrouter-rhel9@sha256:7b986827ecb1f0014ced0cd8bcdf5db0b2522bd2743e7c76eddedf0846428070
openshift-logging/log-file-metric-exporter-rhel9@sha256:648290626590d1bf3401882dcf1e0ae0bc783fa422267ae9f769ecb179ddfe00
openshift-logging/logging-loki-rhel9@sha256:af9aa36d2fdf2ca882bac401ac5caff5241b1ae42c1fff0f8cffcd3e8a00a6f2
openshift-logging/loki-operator-bundle@sha256:6caabb4a166da0c3922e78030e6370cb82b923bd1e80ea2be39d7f9f35ace840
openshift-logging/loki-rhel9-operator@sha256:80a8d28b9a04a24139f8b3886c2ef6ab4f27bb6f14b3890f224f7d1ac6379472
openshift-logging/lokistack-gateway-rhel9@sha256:d33dabeb04dc31d194efcec83667928a33481d7bf7086365b9672c1cd150faa3
openshift-logging/opa-openshift-rhel9@sha256:70ae585e1ae9622b593e4a6cb6505ed918cd564db748526ef0175d984c063028
openshift-logging/vector-rhel9@sha256:cccff902663f34e08ae0bd837bd518fa35fa6a91f822b354923e089bd5a24b53

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.