Red Hat Security Advisory 2022-8889-01

Red Hat Security Advisory 2022-8889-01: Posted Dec 9, 2022; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2022-8889-01 - This is an Openshift Logging bug fix release. Issues addressed include a denial of service vulnerability.; tags | advisory, denial of service; systems | linux, redhat; advisories | CVE-2016-3709, CVE-2020-35525, CVE-2020-35527, CVE-2020-36516, CVE-2020-36518, CVE-2020-36558, CVE-2021-30002, CVE-2021-3640, CVE-2022-0168, CVE-2022-0561, CVE-2022-0562, CVE-2022-0617, CVE-2022-0854, CVE-2022-0865; SHA-256 | e8c5fca15c718cc8dd491c4bcec10fa3e9d5113ff39850bf8adff3a3d0ba7b03; Download | Favorite | View

Red Hat Security Advisory 2022-8889-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Openshift Logging 5.3.14 bug fix release and security update
Advisory ID:       RHSA-2022:8889-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8889
Issue date:        2022-12-08
CVE Names:         CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 
                   CVE-2020-36516 CVE-2020-36518 CVE-2020-36558 
                   CVE-2021-3640 CVE-2021-30002 CVE-2022-0168 
                   CVE-2022-0561 CVE-2022-0562 CVE-2022-0617 
                   CVE-2022-0854 CVE-2022-0865 CVE-2022-0891 
                   CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 
                   CVE-2022-1016 CVE-2022-1048 CVE-2022-1055 
                   CVE-2022-1184 CVE-2022-1292 CVE-2022-1304 
                   CVE-2022-1355 CVE-2022-1586 CVE-2022-1785 
                   CVE-2022-1852 CVE-2022-1897 CVE-2022-1927 
                   CVE-2022-2068 CVE-2022-2078 CVE-2022-2097 
                   CVE-2022-2509 CVE-2022-2586 CVE-2022-2639 
                   CVE-2022-2938 CVE-2022-3515 CVE-2022-20368 
                   CVE-2022-21499 CVE-2022-21618 CVE-2022-21619 
                   CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 
                   CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 
                   CVE-2022-22662 CVE-2022-22844 CVE-2022-23960 
                   CVE-2022-24448 CVE-2022-25255 CVE-2022-26373 
                   CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 
                   CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 
                   CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 
                   CVE-2022-27950 CVE-2022-28390 CVE-2022-28893 
                   CVE-2022-29581 CVE-2022-30293 CVE-2022-34903 
                   CVE-2022-36946 CVE-2022-37434 CVE-2022-39399 
                   CVE-2022-42003 CVE-2022-42004 CVE-2022-42898 
=====================================================================

1. Summary:

Openshift Logging Bug Fix Release (5.3.14)

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Openshift Logging Bug Fix Release (5.3.14)

Security Fixe(s):

* jackson-databind: denial of service via a large depth of nested
objects (CVE-2020-36518)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which
will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.3, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3293 - log-file-metric-exporter container has not limits exhausting the resources of the node

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2020-36516
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2020-36558
https://access.redhat.com/security/cve/CVE-2021-3640
https://access.redhat.com/security/cve/CVE-2021-30002
https://access.redhat.com/security/cve/CVE-2022-0168
https://access.redhat.com/security/cve/CVE-2022-0561
https://access.redhat.com/security/cve/CVE-2022-0562
https://access.redhat.com/security/cve/CVE-2022-0617
https://access.redhat.com/security/cve/CVE-2022-0854
https://access.redhat.com/security/cve/CVE-2022-0865
https://access.redhat.com/security/cve/CVE-2022-0891
https://access.redhat.com/security/cve/CVE-2022-0908
https://access.redhat.com/security/cve/CVE-2022-0909
https://access.redhat.com/security/cve/CVE-2022-0924
https://access.redhat.com/security/cve/CVE-2022-1016
https://access.redhat.com/security/cve/CVE-2022-1048
https://access.redhat.com/security/cve/CVE-2022-1055
https://access.redhat.com/security/cve/CVE-2022-1184
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1355
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1852
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2078
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-2586
https://access.redhat.com/security/cve/CVE-2022-2639
https://access.redhat.com/security/cve/CVE-2022-2938
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-20368
https://access.redhat.com/security/cve/CVE-2022-21499
https://access.redhat.com/security/cve/CVE-2022-21618
https://access.redhat.com/security/cve/CVE-2022-21619
https://access.redhat.com/security/cve/CVE-2022-21624
https://access.redhat.com/security/cve/CVE-2022-21626
https://access.redhat.com/security/cve/CVE-2022-21628
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-22844
https://access.redhat.com/security/cve/CVE-2022-23960
https://access.redhat.com/security/cve/CVE-2022-24448
https://access.redhat.com/security/cve/CVE-2022-25255
https://access.redhat.com/security/cve/CVE-2022-26373
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27404
https://access.redhat.com/security/cve/CVE-2022-27405
https://access.redhat.com/security/cve/CVE-2022-27406
https://access.redhat.com/security/cve/CVE-2022-27950
https://access.redhat.com/security/cve/CVE-2022-28390
https://access.redhat.com/security/cve/CVE-2022-28893
https://access.redhat.com/security/cve/CVE-2022-29581
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-34903
https://access.redhat.com/security/cve/CVE-2022-36946
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-39399
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY5Jma9zjgjWX9erEAQh83xAAj1mTs7t69xXYjstib3b10ZSQFlaK8ZHu
U1CEqRryyTwdLZJUBNnXcFV7S+tGPIthAzg3RCn0Tun45Kj/v296A2AF8DoKPRmu
LZUUi6c5K0vFLTG2zbO0Gxy0rOcxwHmq9QLsQii3AylhXH9BOlJC+VeeaLdJXmd3
7Zwg2Y2opzSYPph1yc/9yf24ln6thgSmFU7lsY60EiPN9GGPXTFKnTbWDNrfRCvy
LJTOYISYm8miRC3TsQ/Nt31an3uSE5e6x4aVEXM12TvZTRL4GCcxbBWK3VSScbg8
T7C98yEWNEwouXMNoQr9MGxPwgmUZ8WsgmzYMWOdKABPk5wcQPqC9pfLtamI+AOM
TZQUy3TfdTxo79Tkhd5QVOnM0WD/3VWtv/OXTcObhacyifzk3kdr5W8D9PqwMp67
4OiyX+bZlZAXKkLuD2IAeNsqP6wafFGPw79IGRSd5ggNRFIj9gJECxxHc+tvQR7F
m6zIWSkjacYUfI8KEI8729qGxwGhqPHHcBS2nAm5pnxXt/3/07BkagQl+5cYW8rS
3rTwx93v6U6F1e7H3FzpucrVDNHK406j3qhKBKHHDr12IPL8Q47dJuTFK9LxhKD8
dGEbNbW23wEkGFjh9BKnac10mPx7uBhQBVmfIrpkgBQhUA6lY7+elso2pVt/FLYw
ouxkTmp3LIQ=
=PYNA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Red Hat Security Advisory 2022-8889-01

Red Hat Security Advisory 2022-8889-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2022-8889-01

Share This

Red Hat Security Advisory 2022-8889-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems