Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update

Topic

Logging Subsystem 5.5.5 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Logging Subsystem 5.5.5 - Red Hat OpenShift

Security Fixe(s):

• jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
• golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879, CVE-2022-2880, CVE-2022-41715)
• jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
• jackson-databind: use of deeply nested arrays (CVE-2022-42004)
• loader-utils: Regular expression denial of service (CVE-2022-37603)
• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

For Red Hat OpenShift Logging 5.5, see the following instructions to apply this update:

https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html

Affected Products

• Logging Subsystem for Red Hat OpenShift 5 x86_64
• Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 ppc64le
• Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 s390x
• Logging Subsystem for Red Hat OpenShift for ARM 64 5 aarch64

Fixes

• BZ - 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
• BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
• BZ - 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
• BZ - 2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service
• LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster
• LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch
• LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
• LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated.
• LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types.
• LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value
• LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed
• LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue
• LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console
• LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config

CVEs

• CVE-2016-3709
• CVE-2020-35525
• CVE-2020-35527
• CVE-2020-36516
• CVE-2020-36518
• CVE-2020-36558
• CVE-2021-3640
• CVE-2021-30002
• CVE-2022-0168
• CVE-2022-0561
• CVE-2022-0562
• CVE-2022-0617
• CVE-2022-0854
• CVE-2022-0865
• CVE-2022-0891
• CVE-2022-0908
• CVE-2022-0909
• CVE-2022-0924
• CVE-2022-1016
• CVE-2022-1048
• CVE-2022-1055
• CVE-2022-1184
• CVE-2022-1292
• CVE-2022-1304
• CVE-2022-1355
• CVE-2022-1586
• CVE-2022-1785
• CVE-2022-1852
• CVE-2022-1897
• CVE-2022-1927
• CVE-2022-2068
• CVE-2022-2078
• CVE-2022-2097
• CVE-2022-2509
• CVE-2022-2586
• CVE-2022-2639
• CVE-2022-2879
• CVE-2022-2880
• CVE-2022-2938
• CVE-2022-3515
• CVE-2022-20368
• CVE-2022-21499
• CVE-2022-21618
• CVE-2022-21619
• CVE-2022-21624
• CVE-2022-21626
• CVE-2022-21628
• CVE-2022-22624
• CVE-2022-22628
• CVE-2022-22629
• CVE-2022-22662
• CVE-2022-22844
• CVE-2022-23960
• CVE-2022-24448
• CVE-2022-25255
• CVE-2022-26373
• CVE-2022-26700
• CVE-2022-26709
• CVE-2022-26710
• CVE-2022-26716
• CVE-2022-26717
• CVE-2022-26719
• CVE-2022-27404
• CVE-2022-27405
• CVE-2022-27406
• CVE-2022-27664
• CVE-2022-27950
• CVE-2022-28390
• CVE-2022-28893
• CVE-2022-29581
• CVE-2022-30293
• CVE-2022-32189
• CVE-2022-34903
• CVE-2022-36946
• CVE-2022-37434
• CVE-2022-37603
• CVE-2022-39399
• CVE-2022-41715
• CVE-2022-42003
• CVE-2022-42004

References

• https://access.redhat.com/security/updates/classification/#moderate