Red Hat Security Advisory 2023-3905-01 - Network Observability 1.3.0 is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. This update contains bug fixes.
9c1a4b3b6b1779c22972b35dae1d77dc4ebc7de0dffbdefb344d5318801994ff-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Network observability 1.3.0 for Openshift
Advisory ID: RHSA-2023:3905-01
Product: Network Observability
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3905
Issue date: 2023-06-28
CVE Names: CVE-2022-28805 CVE-2022-36227 CVE-2023-0464
CVE-2023-0465 CVE-2023-0466 CVE-2023-1255
CVE-2023-2650 CVE-2023-24539 CVE-2023-24540
CVE-2023-27535 CVE-2023-29400
=====================================================================
1. Summary:
Network Observability 1.3.0 for OpenShift
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Network Observability 1.3.0 is an OpenShift operator that provides a
monitoring pipeline to collect and enrich network flows that are produced
by the Network observability eBPF agent.
The operator provides dashboards, metrics, and keeps flows accessible in a
queryable log store, Grafana Loki. When a FlowCollector is deployed, new
dashboards are available in the Console.
This update contains bug fixes.
Security Fix(es):
* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)
* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)
* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
5. JIRA issues fixed (https://issues.redhat.com/):
NETOBSERV-1003 - include metrics role and rolebinding in operator bundle
NETOBSERV-1070 - FLP metrics is not populated with TLS scheme
NETOBSERV-166 - Multitenancy support in Network Observability for project admins
NETOBSERV-391 - Metrics & prometheus setup - flow based dashboards and metrics
NETOBSERV-576 - Multi-arch builds - amd64, ppc64le, arm64
NETOBSERV-765 - Plugin's ServiceMonitor doesn't work
NETOBSERV-773 - Copy certificates across namespaces
NETOBSERV-776 - Implement RBAC control in Loki Gateway
NETOBSERV-901 - Console integration (admin perspective)
NETOBSERV-934 - Add SCTP/ICMPv4/ICMPv6 support to ebpf agent
NETOBSERV-971 - portNaming cannot be disabled
NETOBSERV-972 - user authentication fails for non-kubeadmin users despite they're in cluster-admin groups
NETOBSERV-976 - Not able to disable alerts
NETOBSERV-981 - add must-gather support for network-observability
NETOBSERV-984 - KafkaInterBrokerProtocalVersion throws warning and has ingestion errors
6. References:
https://access.redhat.com/security/cve/CVE-2022-28805
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2023-0464
https://access.redhat.com/security/cve/CVE-2023-0465
https://access.redhat.com/security/cve/CVE-2023-0466
https://access.redhat.com/security/cve/CVE-2023-1255
https://access.redhat.com/security/cve/CVE-2023-2650
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/updates/classification/#important
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZJxWj9zjgjWX9erEAQhGvxAAlqe2wRYPbDiTD3U94mCKBvCm6LseRogK
h+/FLgFUIVmt4wdDRA6O1S+wEqzeHbK1HVgHbU40u4hFU/0M1PEJsiDOyC4hAioO
YDry9NxjaCdd4gRtwq8xuBwyeWvRN6sZna1ei/kUcy+1pvJc+YNVMoW3KyBVa2Kp
dMdCoVvOt0/yggqFix4bRlzldS1HqBPT3PCSqWJO5OsLa1HyPDmsPYLTzJBXBgiZ
of9tgcZ0iwM6/2P6hmKjrKX3hVFNAN47mbmF6u5XfxPywLCEcg5p5eWl1pfJoAYO
GwLn0EgW7SKd6Woaq3BIY8MN0+8L9vOba8zWV2ZS1Jkio1RBiBpeoINbFJObXr5N
tkKxkJGlnoSypLARdUl5HZwd6MxbVnB1+JQMnjJKCn+VWjxrqCzENMYDrjEzcaLD
HyD3HNOriA8ZCvtXOIqVIzKfqAeO++FUn7OUU9U1aBo9zc/AdpeGzBAiW09E9o1d
cpPdxfEFYl0uEqw3ZdlXYb58dCU9UsVdS6wxhJSIUtdWiqdLXmXzI/1ZdfSXIOwr
9ud3epfl6clFx8Ibt9VXLD4GUU58v+Q46pDtE6Flcf+8AXN5Mn6tanOOQs1JsuVM
oxS+DfzbBZeJnLyEpW6YbMhbGqV8QXm6TF8c+IGAEpGjQwGTblX3BmOf/ijj7Hxt
KmF4LPB8n6E=
=8qT8
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed