-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Logging Subsystem 5.5.8 - Red Hat OpenShift Advisory ID: RHSA-2023:0930-01 Product: Logging Subsystem for Red Hat OpenShift Advisory URL: https://access.redhat.com/errata/RHSA-2023:0930 Issue date: 2023-03-08 CVE Names: CVE-2020-10735 CVE-2021-28861 CVE-2022-2873 CVE-2022-4415 CVE-2022-24999 CVE-2022-40897 CVE-2022-41222 CVE-2022-41717 CVE-2022-43945 CVE-2022-45061 CVE-2022-48303 ===================================================================== 1. Summary: Logging Subsystem 5.5.8 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Logging Subsystem 5.5.8 - Red Hat OpenShift Security Fix(es): * express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999) * golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html For Red Hat OpenShift Logging 5.5, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process 2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests 5. JIRA issues fixed (https://issues.jboss.org/): LOG-3630 - [release-5.5] Inconsistencies in vector normalization of systemd logs. 6. References: https://access.redhat.com/security/cve/CVE-2020-10735 https://access.redhat.com/security/cve/CVE-2021-28861 https://access.redhat.com/security/cve/CVE-2022-2873 https://access.redhat.com/security/cve/CVE-2022-4415 https://access.redhat.com/security/cve/CVE-2022-24999 https://access.redhat.com/security/cve/CVE-2022-40897 https://access.redhat.com/security/cve/CVE-2022-41222 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-43945 https://access.redhat.com/security/cve/CVE-2022-45061 https://access.redhat.com/security/cve/CVE-2022-48303 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZAkjvtzjgjWX9erEAQi6tg//cJalZDsvnICf9o4Rs1uZjds+wIMe9Ood 26/ZK0dz+sr2c1zUrPZyRNSARa23TVNA4yN/rbO3qaTBUZg/3aYJrSMqCsNg+/FY O5gv4hlWNLkvS7/yiNvdOKTKVHpy9j0Kb4NEsI1X2pYZ/QOFd/U1lK4i9gUlIGIL DjDajvfMCQvzMwap+Y157aoWern+TwOhfr9xuMzGm4rFDRTG/AH4mORWwTnPln8C lzHpXCK95hDmHsgOBmTnqbbAZOjLDSydj4FaInLHBRK02cUZhskfFSFtuyUJ+2ee +4v/KbUQauqhJtQpj8aB9ERL/REafEqsxbEx6pBIBiHAtYFTksDumdMB8JWf7IwU DcDpOXZIYL9OkdjQNxZsRY9dmAf5J14DMhrEkPjwrcoqj2OGgaCVmUsZ7JE/dplT VwoUY8Nw9GlHgIDytG1/ddQv2pnvy91yl+MqeZzPID4aMjAreeZz4ESmGhuKdkNN 0epd2nXVTZMi6JdUcRqJYhePEtnS8psEmaty+ofbEMdJ8dQX12bvcmPLzQkduN3+ HsorF1V3PXaba/X1V6FHwu5UIxaHYqS37+RYMnZuvECJdJl8w6o1HrQSB9O+9ih8 xkYncnuY+9xSksCpbPnQ+CFiv1PF4d+eH8MSN3AnHFGpFUujJRV8BR0QzhFPilDV Wi6FY+546Ow= =Ziq6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce