what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-6051-01

Red Hat Security Advisory 2022-6051-01
Posted Aug 19, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-6051-01 - An update is now available for RHOL-5.5-RHEL-8. Issues addressed include denial of service, man-in-the-middle, and out of bounds read vulnerabilities.

tags | advisory, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2021-38561, CVE-2022-0759, CVE-2022-1012, CVE-2022-1292, CVE-2022-1586, CVE-2022-1785, CVE-2022-1897, CVE-2022-1927, CVE-2022-2068, CVE-2022-2097, CVE-2022-21698, CVE-2022-30631, CVE-2022-32250
SHA-256 | 34dbc339b99387a91824a2ceb744350fc879ba77db776d936b2aebbd0812265e

Red Hat Security Advisory 2022-6051-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Logging Subsystem 5.5.0 - Red Hat OpenShift security update
Advisory ID: RHSA-2022:6051-01
Product: RHOL
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6051
Issue date: 2022-08-18
CVE Names: CVE-2021-38561 CVE-2022-0759 CVE-2022-1012
CVE-2022-1292 CVE-2022-1586 CVE-2022-1785
CVE-2022-1897 CVE-2022-1927 CVE-2022-2068
CVE-2022-2097 CVE-2022-21698 CVE-2022-30631
CVE-2022-32250
====================================================================
1. Summary:

An update is now available for RHOL-5.5-RHEL-8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.0 - Red Hat OpenShift

Security Fix(es):

* kubeclient: kubeconfig parsing error can lead to MITM attacks
(CVE-2022-0759)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)

* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-1415 - Allow users to tune fluentd
LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `
LOG-1713 - Reduce Permissions granted for prometheus-k8s service account
LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created.
LOG-2134 - The infra logs are sent to app-xx indices
LOG-2159 - Cluster Logging Pods in CrashLoopBackOff
LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages.
LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL
LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext.
LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not be collected.
LOG-2242 - Log file metric exporter is still following /var/log/containers files.
LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed
LOG-2264 - Logging link should contain an icon
LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them.
LOG-2276 - Fluent config format is hard to read via configmap
LOG-2290 - ClusterLogging Instance status in not getting updated in UI
LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1
LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint.
LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch
LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck
LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously
LOG-2333 - Journal logs not reaching Elasticsearch output
LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record.
LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"
LOG-2384 - Provide a method to get authenticated from GCP
LOG-2411 - [Vector] Audit logs forwarding not working.
LOG-2412 - CLO's loki output url is parsed wrongly
LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type
LOG-2418 - EO supported time units don't match the units specified in CRDs.
LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong
LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift
LOG-2444 - The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`.
LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster.
LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack.
LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices
LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]
LOG-2522 - CLO supported time units don't match the units specified in CRDs.
LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready.
LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster
LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector.
LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data
LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated.
LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate
LOG-2599 - Supported values for level field don't match documentation
LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert
LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect
LOG-2619 - containers violate PodSecurity -- Log Exporation
LOG-2627 - containers violate PodSecurity -- Loki
LOG-2649 - Level Critical should match the beginning of the line as the other levels
LOG-2656 - Logging uses deprecated v1beta1 apis
LOG-2664 - Deprecated Feature logs causing too much noise
LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster
LOG-2693 - Integration with Jaeger fails for ServiceMonitor
LOG-2700 - [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" .
LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance
LOG-2725 - Upgrade logging-eventrouter Golang version and tags
LOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging.
LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration
LOG-2742 - unrecognized outputs when use the sts role secret
LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs
LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.
LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo
LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack.
LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image
LOG-2765 - ingester pod can not be started in IPv6 cluster
LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy
LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx
LOG-2773 - No cluster-logging-operator-metrics service in logging 5.5
LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.
LOG-2784 - Japanese log messages are garbled at Kibana
LOG-2793 - [Vector] OVN audit logs are missing the level field.
LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF
LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF.
LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector.
LOG-2875 - Seeing a black rectangle box on the graph in Logs view
LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error
LOG-2877 - When there is no query entered, seeing error message on the Logs view
LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2022-0759
https://access.redhat.com/security/cve/CVE-2022-1012
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32250
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYv5/w9zjgjWX9erEAQhRBBAAiZe24VtCQruCG/MvGEOowBvHf/YNANlR
N6WAw2VezEfvFkG7z599MWZVWz2jnZO6cn9i+CoNDanAmItPJ8ljK4sitrP2ywrG
OKwqIa4DPrywFFTSMxemB604ewE0cvXifuqG5bQDn+GvndiV/u/XaVTYZseY1P5X
8ZIJ20cxROOE9pg0/3eya27edZxDrgWx6BtzSEZw47ReV3Dogqy+KzRCAAoN+pE5
g2t/E0u0Ypmjil9Ttsop/ejUg/iz8UTGtua4m1nzhZrsoE84p5xIgvCEkYlh3OrD
tfawpj1r9Avcjk4zbZkAe/enSQZQv0iWD792SoP7/ddX5tIu05ArvPWj/NvN/rI4
dFzMe2UmezuS2EQpzaWOug2xSQUbR1hI+Y4cy0YOHuwzeaMeoHSbNYTJmOxKR0v1
44a9oSBku+Xfk8nUNqS+9oq0z3DlAWt2BjbfrJCbSjZQdOUOIGM95L3ClrXY9LYF
PT5v+h2W4myonj6HVhkv+Wy7aRbYQ7Qhk/3AaN7Dz5soBSNK4exvOzWXGuf/BdSf
XFef6O87ipZveHQYmTfH+t8aJV1plEVTrm8pyz2EfzCv1Fnhjn0rvbGZAFBlvqW+
vhxoj505RQBBhcno16V1zczdd8KsiqY7aZniTuh2DQAVvNhqsHgn8rvQ7HJlExun
eIFVKOxx310=ynB/
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close