-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Logging bug fix and security update (5.2.8)
Advisory ID:       RHSA-2022:0728-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0728
Issue date:        2022-03-02
CVE Names:         CVE-2020-28491 CVE-2022-0552
====================================================================
1. Summary:

OpenShift Logging bug fix and security update (5.2.8)

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Logging bug fix and security update (5.2.8)

Security Fix(es):

* jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception (CVE-2020-28491)

* origin-aggregated-logging/elasticsearch: Incomplete fix for
netty-codec-http CVE-2021-21409 (CVE-2022-0552)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.8 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

For Red Hat OpenShift Logging 5.2, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1930423 - CVE-2020-28491 jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
2052539 - CVE-2022-0552 origin-aggregated-logging/elasticsearch: Incomplete fix for netty-codec-http CVE-2021-21409

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-2180 - Logging link is not removed when CLO is uninstalled or its instance is removed

6. References:

https://access.redhat.com/security/cve/CVE-2020-28491
https://access.redhat.com/security/cve/CVE-2022-0552
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYh+XzdzjgjWX9erEAQi0Pw//WJzJRTcWyl/UsQ+oS/7AHPR/kIDkPbR4
AX+AbUXO4AEirXvf911Z5ZdwJw8UrYRdnnMAZItCmisNUPZZ9ybi7AIR3b3HQlwl
EKZOvhdt1YwGfGwIL6mjLeAVoxcBAlkE1LvFAcC18aVNDWeSCWxwZOpUzvTPLVuR
2ljs3hvp6YNHnX4EH2eDpE6ylhruBXY2FXeA+SyWg4TU5q1Hg0WsJE4Z0x7YxWUe
RvPBxZ4xBibyxKxBh47zQLp01aQyz4OTQsC3abMyaWd/jN3vZEFHE0N9UqmdLaMn
XOxA9actMytEcBEfbrTPE1FjlDidvpf+tged99a1Aw5yJdZNydx8WFW5gpIoX2Ix
x4QW68dFpImHLtOS6VB9GChQJQXombsDtf8UPssf7iojpkx40Ikk6Eov+x0K78L8
OOWYXEL37xuP4n26RydUEu09H5vfE9gXDDK6vIfFLDu+55+FQpDLn0JAecgMETx6
NxYzrqJGuZjD1ZP46YDpa/XS/2hc9ueo1G8ydwYyT3DabYXqIjA+wcaMJ0BK7471
hFRgZXMHuG8ziGKgONqeZLXi7NBfCwQr8/olnCe+27NRJGQcrRFggDDnjFnhtjgS
PUzfRhUHhS9uNy6Ih7QB+bNGi3t8nUC9pvJ2is9N9ueG3qIw/KWGuDORqBHSEy/R
8hb6hi3wY5g=MXFM
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce