Important: Logging Subsystem 5.4 - Red Hat OpenShift Security and Bug update

Topic

Logging Subsystem 5.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Logging Subsystem 5.4 - Red Hat OpenShift

Security Fix(es):

• kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)
• prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

For Red Hat OpenShift Logging 5.4, see the following instructions to apply this update:

https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-upgrading.html

Affected Products

• Logging Subsystem for Red Hat OpenShift 5 x86_64
• Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 ppc64le
• Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 s390x
• Logging Subsystem for Red Hat OpenShift for ARM 64 5 aarch64

Fixes

• BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
• BZ - 2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks
• LOG-1774 - The collector logs should be excluded in fluent.conf
• LOG-1896 - CLO panic: runtime error: slice bounds out of range [:-1]
• LOG-1912 - Vector image ref breaks 5.3 build
• LOG-1918 - Alert `FluentdNodeDown` always firing
• LOG-1919 - Logging link is not removed when CLO is uninstalled or its instance is removed
• LOG-2026 - No datapoint for CPU on openshift-logging dashboard
• LOG-2052 - [vector]Infra logs aren't collected correctly
• LOG-2056 - Wrong certificates used by fluentd when log forwarding to external Elasticsearch and defined structuredTypeKey
• LOG-2069 - [release-5.4]Log collected dashboard displays wrong namespace
• LOG-2070 - [Vector] Collector pods fail to start when a ClusterLogForwarder is created to forward logs to Kafka.
• LOG-2071 - [release-5.4] The configmap grafana-dashboard-cluster-logging can not be updated
• LOG-2072 - [Vector] Collector pods fail to start when a ClusterLogForwarder instance is created to forward logs to multiple log stores.
• LOG-2076 - [Vector] Basic auth credentials are not added to the generated Vector config
• LOG-2093 - EO Self-generated certificates issue with Kibana when "logging.openshift.io/elasticsearch-cert-management: true" annotation is used
• LOG-2107 - CLO instance to deploy Vector not working.
• LOG-2119 - Elasticsearch pod is throwing ElasticsearchSecurityException when running delete by query
• LOG-2120 - EO becomes CrashLoopBackOff when deploy ES with more than 3 nodes
• LOG-2121 - LokiStack components/pods are not coming up due to CrashLoopBackOff error
• LOG-2124 - Binary Manager issue in downstream Loki Operator image
• LOG-2130 - Vector - Collector pods fails to start when forwarding logs to Loki using tenantKey
• LOG-2131 - ES Operator Stuck on Quota after Upgrade
• LOG-2156 - Dashboard for OpenShift Logging in WebConsole shows incorrect number of shards
• LOG-2157 - Vector: Getting error 'error=unknown field `username`' when forwarding logs to Loki using HTTPS
• LOG-2160 - [Logging 5.4]Logs under openshift-* projects are sent to app* index when using fluentd as collector
• LOG-2161 - Cronjob elasticsearch-im-prune-app keeps recreating after enabling delete by query
• LOG-2163 - Openshift Logging Dashboard is not available in console
• LOG-2166 - [Vector]CLO doesn't create correct configurations when forwarding different type logs to different log stores.
• LOG-2174 - [vector] ES rejects logs due to MapperParsingException
• LOG-2210 - Delete by query doesn't delete all the projects' logs defined in retentionPolicy
• LOG-2211 - [loki-operator]The kube-rbac-proxy is too old ( v4.5.0)
• LOG-2212 - [loki-operator] Configure Error in ClusterServiceVersion
• LOG-2218 - support ARM64 for loki-operator images
• LOG-2220 - Fluentd collector not setting labels from /var/log/pods paths
• LOG-2221 - The lokistack deployment should continue after the missing secret is created
• LOG-2224 - LokiStack components are not restarted on ConfigMap change
• LOG-2226 - [loki-operator] Must use the global namespace openshift-operators or openshift-operators-redhat
• LOG-2236 - An inner error is swallowed
• LOG-2249 - [Vector] Incorrect sinks.loki_server.labels config for kubernetes_host and kubernetes_namespace_name
• LOG-2250 - [Logging 5.4] EO doesn't recreate secrets kibana and kibana-proxy after removing them.
• LOG-2255 - [Vector] Forwarder does not handle input namespace selectors.
• LOG-2259 - [Vector] Configuration error ?error=redefinition of table? when forwarding logs from different namespaces.
• LOG-2278 - [loki-operator] SRV lookup for components fails because of service name mismatch
• LOG-2286 - Prometheus can't watch pods/endpoints/services in openshift-logging namespace when only the CLO is deployed.
• LOG-2327 - [loki-operator] Loki components report connection errors related to kube-probe
• LOG-2352 - loki-operator controller pod in CrashLoopBackOff status
• LOG-2373 - [release-5.4] Logging link should contain an icon
• LOG-2375 - Vector preview does not update Status
• LOG-2381 - [Vector] [5.4] Collector pods fail to start with configuration error=unknown variant `internal_metrics`
• LOG-2383 - The lokistack still bind s3 when secret.type is azure
• LOG-2392 - CLO's loki output url is parsed wrongly
• LOG-2398 - [Vector][5.4] Journal logs not reaching Elasticsearch output
• LOG-2425 - lokistack: Common users can not view their pods logs
• LOG-2438 - api/logs/v1/audit/loki/api/v1/push 302 Found failed to find token
• LOG-2441 - Remove OpenShift 4.8 from Logging 5.4 support list
• LOG-2487 - The loki-operator can not be upgraded
• LOG-2115 - Incident: Loki Ingester experiencing 50% errors.
• LOG-2246 - [loki-operator] Degraded status immediately reset when no pod actions are pending
• LOG-2430 - Enable vector functional and e2e tests for preview, or document gaps
• LOG-2099 - [release-5.4] Events listing out of order in Kibana 6.8.1
• LOG-2171 - [Logging 5.4]ES pods can't be ready after removing secret/signing-elasticsearch
• LOG-2299 - Loki tenant configuration invalid for fluentd output plugin used
• LOG-2302 - [Logging 5.4] Elasticsearch cluster upgrade stuck
• LOG-2351 - [Logging 5.4] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"
• LOG-2379 - [release-5.4] Allow users to tune fluentd
• LOG-2397 - Reconcile Error on Loki controller manager after LokiStack size is changed
• LOG-1899 - http.max_header_size set to 128kb causes communication with elasticsearch to stop working
• LOG-2462 - Fluentd collected metric should track either /var/log/pods or /var/log/containers

CVEs

• CVE-2022-0759
• CVE-2022-21698

References

• https://access.redhat.com/security/updates/classification/#important