Synopsis
Important: Logging Subsystem 5.4 - Red Hat OpenShift Security and Bug update
Type/Severity
Security Advisory: Important
Topic
Logging Subsystem 5.4 - Red Hat OpenShift
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Logging Subsystem 5.4 - Red Hat OpenShift
Security Fix(es):
- kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)
- prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Logging Subsystem for Red Hat OpenShift 5 x86_64
-
Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 ppc64le
-
Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 s390x
-
Logging Subsystem for Red Hat OpenShift for ARM 64 5 aarch64
Fixes
-
BZ - 2045880
- CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
-
BZ - 2058404
- CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks
-
LOG-1774
- The collector logs should be excluded in fluent.conf
-
LOG-1896
- CLO panic: runtime error: slice bounds out of range [:-1]
-
LOG-1912
- Vector image ref breaks 5.3 build
-
LOG-1918
- Alert `FluentdNodeDown` always firing
-
LOG-1919
- Logging link is not removed when CLO is uninstalled or its instance is removed
-
LOG-2026
- No datapoint for CPU on openshift-logging dashboard
-
LOG-2052
- [vector]Infra logs aren't collected correctly
-
LOG-2056
- Wrong certificates used by fluentd when log forwarding to external Elasticsearch and defined structuredTypeKey
-
LOG-2069
- [release-5.4]Log collected dashboard displays wrong namespace
-
LOG-2070
- [Vector] Collector pods fail to start when a ClusterLogForwarder is created to forward logs to Kafka.
-
LOG-2071
- [release-5.4] The configmap grafana-dashboard-cluster-logging can not be updated
-
LOG-2072
- [Vector] Collector pods fail to start when a ClusterLogForwarder instance is created to forward logs to multiple log stores.
-
LOG-2076
- [Vector] Basic auth credentials are not added to the generated Vector config
-
LOG-2093
- EO Self-generated certificates issue with Kibana when "logging.openshift.io/elasticsearch-cert-management: true" annotation is used
-
LOG-2107
- CLO instance to deploy Vector not working.
-
LOG-2119
- Elasticsearch pod is throwing ElasticsearchSecurityException when running delete by query
-
LOG-2120
- EO becomes CrashLoopBackOff when deploy ES with more than 3 nodes
-
LOG-2121
- LokiStack components/pods are not coming up due to CrashLoopBackOff error
-
LOG-2124
- Binary Manager issue in downstream Loki Operator image
-
LOG-2130
- Vector - Collector pods fails to start when forwarding logs to Loki using tenantKey
-
LOG-2131
- ES Operator Stuck on Quota after Upgrade
-
LOG-2156
- Dashboard for OpenShift Logging in WebConsole shows incorrect number of shards
-
LOG-2157
- Vector: Getting error 'error=unknown field `username`' when forwarding logs to Loki using HTTPS
-
LOG-2160
- [Logging 5.4]Logs under openshift-* projects are sent to app* index when using fluentd as collector
-
LOG-2161
- Cronjob elasticsearch-im-prune-app keeps recreating after enabling delete by query
-
LOG-2163
- Openshift Logging Dashboard is not available in console
-
LOG-2166
- [Vector]CLO doesn't create correct configurations when forwarding different type logs to different log stores.
-
LOG-2174
- [vector] ES rejects logs due to MapperParsingException
-
LOG-2210
- Delete by query doesn't delete all the projects' logs defined in retentionPolicy
-
LOG-2211
- [loki-operator]The kube-rbac-proxy is too old ( v4.5.0)
-
LOG-2212
- [loki-operator] Configure Error in ClusterServiceVersion
-
LOG-2218
- support ARM64 for loki-operator images
-
LOG-2220
- Fluentd collector not setting labels from /var/log/pods paths
-
LOG-2221
- The lokistack deployment should continue after the missing secret is created
-
LOG-2224
- LokiStack components are not restarted on ConfigMap change
-
LOG-2226
- [loki-operator] Must use the global namespace openshift-operators or openshift-operators-redhat
-
LOG-2236
- An inner error is swallowed
-
LOG-2249
- [Vector] Incorrect sinks.loki_server.labels config for kubernetes_host and kubernetes_namespace_name
-
LOG-2250
- [Logging 5.4] EO doesn't recreate secrets kibana and kibana-proxy after removing them.
-
LOG-2255
- [Vector] Forwarder does not handle input namespace selectors.
-
LOG-2259
- [Vector] Configuration error ?error=redefinition of table? when forwarding logs from different namespaces.
-
LOG-2278
- [loki-operator] SRV lookup for components fails because of service name mismatch
-
LOG-2286
- Prometheus can't watch pods/endpoints/services in openshift-logging namespace when only the CLO is deployed.
-
LOG-2327
- [loki-operator] Loki components report connection errors related to kube-probe
-
LOG-2352
- loki-operator controller pod in CrashLoopBackOff status
-
LOG-2373
- [release-5.4] Logging link should contain an icon
-
LOG-2375
- Vector preview does not update Status
-
LOG-2381
- [Vector] [5.4] Collector pods fail to start with configuration error=unknown variant `internal_metrics`
-
LOG-2383
- The lokistack still bind s3 when secret.type is azure
-
LOG-2392
- CLO's loki output url is parsed wrongly
-
LOG-2398
- [Vector][5.4] Journal logs not reaching Elasticsearch output
-
LOG-2425
- lokistack: Common users can not view their pods logs
-
LOG-2438
- api/logs/v1/audit/loki/api/v1/push 302 Found failed to find token
-
LOG-2441
- Remove OpenShift 4.8 from Logging 5.4 support list
-
LOG-2487
- The loki-operator can not be upgraded
-
LOG-2115
- Incident: Loki Ingester experiencing 50% errors.
-
LOG-2246
- [loki-operator] Degraded status immediately reset when no pod actions are pending
-
LOG-2430
- Enable vector functional and e2e tests for preview, or document gaps
-
LOG-2099
- [release-5.4] Events listing out of order in Kibana 6.8.1
-
LOG-2171
- [Logging 5.4]ES pods can't be ready after removing secret/signing-elasticsearch
-
LOG-2299
- Loki tenant configuration invalid for fluentd output plugin used
-
LOG-2302
- [Logging 5.4] Elasticsearch cluster upgrade stuck
-
LOG-2351
- [Logging 5.4] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"
-
LOG-2379
- [release-5.4] Allow users to tune fluentd
-
LOG-2397
- Reconcile Error on Loki controller manager after LokiStack size is changed
-
LOG-1899
- http.max_header_size set to 128kb causes communication with elasticsearch to stop working
-
LOG-2462
- Fluentd collected metric should track either /var/log/pods or /var/log/containers