Synopsis
Important: Logging Subsystem 5.5.0 - Red Hat OpenShift security update
Type/Severity
Security Advisory: Important
Topic
An update is now available for RHOL-5.5-RHEL-8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Logging Subsystem 5.5.0 - Red Hat OpenShift
Security Fix(es):
- kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)
- golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)
- prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Logging Subsystem for Red Hat OpenShift 5 x86_64
-
Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 ppc64le
-
Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 s390x
-
Logging Subsystem for Red Hat OpenShift for ARM 64 5 aarch64
Fixes
-
BZ - 2045880
- CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
-
BZ - 2058404
- CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks
-
BZ - 2100495
- CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
-
BZ - 2107342
- CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
-
LOG-2649
- Level Critical should match the beginning of the line as the other levels
-
LOG-2656
- Logging uses deprecated v1beta1 apis
-
LOG-2664
- Deprecated Feature logs causing too much noise
-
LOG-2665
- [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster
-
LOG-2693
- Integration with Jaeger fails for ServiceMonitor
-
LOG-2700
- [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" .
-
LOG-2703
- Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance
-
LOG-2725
- Upgrade logging-eventrouter Golang version and tags
-
LOG-2731
- CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging.
-
LOG-2732
- Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration
-
LOG-2742
- unrecognized outputs when use the sts role secret
-
LOG-2746
- CloudWatch forwarding rejecting large log events, fills tmpfs
-
LOG-2749
- OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.
-
LOG-2753
- Update Grafana configuration for LokiStack integration on grafana/loki repo
-
LOG-2763
- [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack.
-
LOG-2764
- ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image
-
LOG-2765
- ingester pod can not be started in IPv6 cluster
-
LOG-2766
- [vector] failed to parse cluster url: invalid authority IPv6 http-proxy
-
LOG-2772
- arn validation failed when role_arn=arn:aws-us-gov:xxx
-
LOG-2773
- No cluster-logging-operator-metrics service in logging 5.5
-
LOG-2778
- [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.
-
LOG-2784
- Japanese log messages are garbled at Kibana
-
LOG-1415
- Allow users to tune fluentd
-
LOG-1539
- Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `
-
LOG-1713
- Reduce Permissions granted for prometheus-k8s service account
-
LOG-2063
- Collector pods fail to start when a Vector only Cluster Logging instance is created.
-
LOG-2134
- The infra logs are sent to app-xx indices
-
LOG-2159
- Cluster Logging Pods in CrashLoopBackOff
-
LOG-2165
- [Vector] Default log level debug makes it hard to find useful error/failure messages.
-
LOG-2167
- [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL
-
LOG-2169
- [Vector] Logs not being sent to Kafka with SASL plaintext.
-
LOG-2172
- [vector]The openshift-apiserver and ovn audit logs can not be collected.
-
LOG-2242
- Log file metric exporter is still following /var/log/containers files.
-
LOG-2243
- grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed
-
LOG-2264
- Logging link should contain an icon
-
LOG-2274
- [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them.
-
LOG-2276
- Fluent config format is hard to read via configmap
-
LOG-2290
- ClusterLogging Instance status in not getting updated in UI
-
LOG-2291
- [release-5.5] Events listing out of order in Kibana 6.8.1
-
LOG-2294
- [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint.
-
LOG-2300
- [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch
-
LOG-2303
- [Logging 5.5] Elasticsearch cluster upgrade stuck
-
LOG-2308
- configmap grafana-dashboard-elasticsearch is being created and deleted continously
-
LOG-2333
- Journal logs not reaching Elasticsearch output
-
LOG-2337
- [Vector] Missing @ prefix from the timestamp field in log record.
-
LOG-2342
- [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"
-
LOG-2384
- Provide a method to get authenticated from GCP
-
LOG-2411
- [Vector] Audit logs forwarding not working.
-
LOG-2412
- CLO's loki output url is parsed wrongly
-
LOG-2413
- PriorityClass cluster-logging is deleted if provide an invalid log type
-
LOG-2418
- EO supported time units don't match the units specified in CRDs.
-
LOG-2440
- [loki-operator] Live tail of logs does not work on OpenShift
-
LOG-2444
- The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`.
-
LOG-2460
- [Vector] Collector pods fail to start on a FIPS enabled cluster.
-
LOG-2461
- [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack.
-
LOG-2463
- Elasticsearch operator repeatedly prints error message when checking indices
-
LOG-2474
- EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]
-
LOG-2522
- CLO supported time units don't match the units specified in CRDs.
-
LOG-2525
- The container's logs are not sent to separate index if the annotation is added after the pod is ready.
-
LOG-2546
- TLS handshake error on loki-gateway for FIPS cluster
-
LOG-2549
- [Vector] [master] Journald logs not sent to the Log store when using Vector as collector.
-
LOG-2554
- [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data
-
LOG-2588
- FluentdQueueLengthIncreasing rule failing to be evaluated.
-
LOG-2596
- [vector]the condition in [transforms.route_container_logs] is inaccurate
-
LOG-2599
- Supported values for level field don't match documentation
-
LOG-2605
- $labels.instance is empty in the message when firing FluentdNodeDown alert
-
LOG-2609
- fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect
-
LOG-2627
- containers violate PodSecurity -- Loki
-
LOG-2439
- Telemetry: the managedStatus&healthStatus&version values are wrong
-
LOG-2619
- containers violate PodSecurity -- Log Exporation
-
LOG-2793
- [Vector] OVN audit logs are missing the level field.
-
LOG-2864
- [vector] Can not sent logs to default when loki is the default output in CLF
-
LOG-2867
- [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF.
-
LOG-2873
- [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector.
-
LOG-2875
- Seeing a black rectangle box on the graph in Logs view
-
LOG-2876
- The link to the 'Container details' page on the 'Logs' screen throws error
-
LOG-2877
- When there is no query entered, seeing error message on the Logs view
-
LOG-2882
- RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen