what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-2216-01

Red Hat Security Advisory 2022-2216-01
Posted May 12, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-2216-01 - Logging Subsystem 5.4.1 - Red Hat OpenShift. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2018-25032, CVE-2021-37136, CVE-2021-37137, CVE-2021-4028, CVE-2021-43797, CVE-2022-0778, CVE-2022-1154, CVE-2022-1271, CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21476, CVE-2022-21496, CVE-2022-21698, CVE-2022-25636
SHA-256 | e8448d15067ef4e108e62dd39572f25de537bd0cc05255cb4ff9f26a2036af6d

Red Hat Security Advisory 2022-2216-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Logging Security and Bug update Release 5.4.1
Advisory ID: RHSA-2022:2216-01
Product: Logging Subsystem for Red Hat OpenShift
Advisory URL: https://access.redhat.com/errata/RHSA-2022:2216
Issue date: 2022-05-11
CVE Names: CVE-2018-25032 CVE-2021-4028 CVE-2021-37136
CVE-2021-37137 CVE-2021-43797 CVE-2022-0778
CVE-2022-1154 CVE-2022-1271 CVE-2022-21426
CVE-2022-21434 CVE-2022-21443 CVE-2022-21476
CVE-2022-21496 CVE-2022-21698 CVE-2022-25636
====================================================================
1. Summary:

Logging Subsystem 5.4.1 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.4.1 - Red Hat OpenShift

Security Fix(es):

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* netty: control chars in header names may lead to HTTP request smuggling
(CVE-2021-43797)

* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

For Red Hat OpenShift Logging 5.4, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-2437 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.4]
LOG-2442 - Log file metric exporter not working with /var/log/pods
LOG-2448 - Audit and journald logs cannot be viewed from LokiStack, when logs are forwarded with Vector as collector.

6. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2021-4028
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2021-43797
https://access.redhat.com/security/cve/CVE-2022-0778
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-21426
https://access.redhat.com/security/cve/CVE-2022-21434
https://access.redhat.com/security/cve/CVE-2022-21443
https://access.redhat.com/security/cve/CVE-2022-21476
https://access.redhat.com/security/cve/CVE-2022-21496
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-25636
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYnw2WdzjgjWX9erEAQjPCg//efYQE45tMWtgRGVGo0hKPbiqn/XluxH2
mV9guOJoNcN79wArIn9tGr1SUHMQ8csRyFAzcDOSLZHhqakXdYx+9lZx1xyqYmCm
yoQ7/JOZRmmISnrUl8BY0k8/SVfFIcteWZM6H9ZPKHT59XwpLGdK4vJBi90gyFum
Khc3Xf+AcA1/W4C3zaOznRw/ERhbVQwiCzdxPyCV2hrkxDQNx7fdW55qCYF158Wv
x4AYebhKMtVQuOgLL+/S/lkGcoOj4CMTHKJASrDk58YH3c6u6ZO6SAfutB6fgg59
N5+lR1jv5M7yJPwwdOXyd/NcPKdDmX+dSmcxV9j6e923rC92UkdMcE5MpswOai/P
Le/N9vnLAM9YU7Y7ed3q0mAKqyZ0IKDldtE5qApgXz3PylrkodfDivBF7ewMYPz5
WcM6ggu9cIJDNbyp4oADRO9iPU6NHzyldjtaXfFQ2uiBmIdPhCrBNFFng6jJSWRA
wIfoCJgbUeeEZVle3fmYTNDU62/DIDXIUlVjJar7YVbnwiRn/b//S09Wj3sZ9G23
F69dYrUdZwqgOjLnDStu2xLszFSE9zA9UxoyIOSVikahdMfazMgQsR2GLap1Ekd7
UFXxtgF46vvY4Xy3OtEjqB/CBV8fiKsM9eXAyPws8X5ZSNs7u9jRqj4ZxionIMKl
9rwS/Y7RBGg=tfqg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close