-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update
Advisory ID:       RHSA-2022:8781-01
Product:           Logging Subsystem for Red Hat OpenShift
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8781
Issue date:        2022-12-08
CVE Names:         CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 
                   CVE-2020-36516 CVE-2020-36518 CVE-2020-36558 
                   CVE-2021-3640 CVE-2021-30002 CVE-2022-0168 
                   CVE-2022-0561 CVE-2022-0562 CVE-2022-0617 
                   CVE-2022-0854 CVE-2022-0865 CVE-2022-0891 
                   CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 
                   CVE-2022-1016 CVE-2022-1048 CVE-2022-1055 
                   CVE-2022-1184 CVE-2022-1292 CVE-2022-1304 
                   CVE-2022-1355 CVE-2022-1586 CVE-2022-1785 
                   CVE-2022-1852 CVE-2022-1897 CVE-2022-1927 
                   CVE-2022-2068 CVE-2022-2078 CVE-2022-2097 
                   CVE-2022-2509 CVE-2022-2586 CVE-2022-2639 
                   CVE-2022-2879 CVE-2022-2880 CVE-2022-2938 
                   CVE-2022-3515 CVE-2022-20368 CVE-2022-21499 
                   CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 
                   CVE-2022-21626 CVE-2022-21628 CVE-2022-22624 
                   CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 
                   CVE-2022-22844 CVE-2022-23960 CVE-2022-24448 
                   CVE-2022-25255 CVE-2022-26373 CVE-2022-26700 
                   CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 
                   CVE-2022-26717 CVE-2022-26719 CVE-2022-27404 
                   CVE-2022-27405 CVE-2022-27406 CVE-2022-27664 
                   CVE-2022-27950 CVE-2022-28390 CVE-2022-28893 
                   CVE-2022-29581 CVE-2022-30293 CVE-2022-32189 
                   CVE-2022-34903 CVE-2022-36946 CVE-2022-37434 
                   CVE-2022-37603 CVE-2022-39399 CVE-2022-41715 
                   CVE-2022-42003 CVE-2022-42004 
=====================================================================

1. Summary:

Logging Subsystem 5.5.5 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.5 - Red Hat OpenShift

Security Fixe(s):

* jackson-databind: denial of service via a large depth of nested
objects (CVE-2020-36518)

* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)

* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879, CVE-2022-2880, CVE-2022-41715)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* loader-utils: Regular expression denial of service (CVE-2022-37603)

* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

For Red Hat OpenShift Logging 5.5, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster
LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch
LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated.
LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types.
LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value
LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed
LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue
LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console
LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2020-36516
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2020-36558
https://access.redhat.com/security/cve/CVE-2021-3640
https://access.redhat.com/security/cve/CVE-2021-30002
https://access.redhat.com/security/cve/CVE-2022-0168
https://access.redhat.com/security/cve/CVE-2022-0561
https://access.redhat.com/security/cve/CVE-2022-0562
https://access.redhat.com/security/cve/CVE-2022-0617
https://access.redhat.com/security/cve/CVE-2022-0854
https://access.redhat.com/security/cve/CVE-2022-0865
https://access.redhat.com/security/cve/CVE-2022-0891
https://access.redhat.com/security/cve/CVE-2022-0908
https://access.redhat.com/security/cve/CVE-2022-0909
https://access.redhat.com/security/cve/CVE-2022-0924
https://access.redhat.com/security/cve/CVE-2022-1016
https://access.redhat.com/security/cve/CVE-2022-1048
https://access.redhat.com/security/cve/CVE-2022-1055
https://access.redhat.com/security/cve/CVE-2022-1184
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1355
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1852
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2078
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-2586
https://access.redhat.com/security/cve/CVE-2022-2639
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-2938
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-20368
https://access.redhat.com/security/cve/CVE-2022-21499
https://access.redhat.com/security/cve/CVE-2022-21618
https://access.redhat.com/security/cve/CVE-2022-21619
https://access.redhat.com/security/cve/CVE-2022-21624
https://access.redhat.com/security/cve/CVE-2022-21626
https://access.redhat.com/security/cve/CVE-2022-21628
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-22844
https://access.redhat.com/security/cve/CVE-2022-23960
https://access.redhat.com/security/cve/CVE-2022-24448
https://access.redhat.com/security/cve/CVE-2022-25255
https://access.redhat.com/security/cve/CVE-2022-26373
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27404
https://access.redhat.com/security/cve/CVE-2022-27405
https://access.redhat.com/security/cve/CVE-2022-27406
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-27950
https://access.redhat.com/security/cve/CVE-2022-28390
https://access.redhat.com/security/cve/CVE-2022-28893
https://access.redhat.com/security/cve/CVE-2022-29581
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-34903
https://access.redhat.com/security/cve/CVE-2022-36946
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-37603
https://access.redhat.com/security/cve/CVE-2022-39399
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY5G9q9zjgjWX9erEAQgdfBAApTzFp8Tp32Bv5jN1EnhSqzcQ93cUa2Nr
ot9YGh2Dzqr0lzAP2uf1O61EEYq9mte6X4DckjUDo7BT7u5ZZxMWWSstpNbFUzXl
4xs393yEZM52DN174XOP5V7GUG0pyNlEqHYMGjdZF6pzIx2zzF300kAjB4Hpg4wK
kKUDVnIyHlvlNcsvjms4p1rzAsIns4c73W89KVkwMyo1pvPQt6v34BWZg5DNnYAM
hTzl0JR5XRYW4aZhIMq7FApvh4GeA7n7L0kmnDHFVcx0cnrHrjHZxmRQX0Gai1bc
r8MvGvbMTqEAZ4VKKrgNVvVzkdrO4dw20JfbskPgTIbFXH6ns5605b31veRhMYmv
NCSJUbq4BLYVAZEhmLa0QIqru1WVCB1e2eRUhvehLiuVlAkgmIgtKvECZ3kpQHxj
DvOdnaWC5R9eKtNlX9N1xOtqgOF2w+/M+5ml5RJgq48Wlb41VpypDIKFBUXh+wR9
ArrG8kao75Hl0t8/YQMouqDvgJLNgfceF+WETYryfDus9OlB4YMxhI88mx7HH9zu
Hy4rb7RhF1OcH/kWjmMl/YJQpYSFKJDyls3tAx5ZAWGCpwAzoBZoc9BEKUQwVfnW
f3PFotJeQdxKBsbqKVF5h0gHcfSUP+P0kQhx1GD51kxJkUmq47m3OZKIe1QLwYgm
T1GSDHkQTcg=
=y/FA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce