Synopsis
Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update
Type/Severity
Security Advisory: Moderate
Topic
Logging Subsystem 5.5.5 - Red Hat OpenShift
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Logging Subsystem 5.5.5 - Red Hat OpenShift
Security Fixe(s):
- jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
- golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
- golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879, CVE-2022-2880, CVE-2022-41715)
- jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
- jackson-databind: use of deeply nested arrays (CVE-2022-42004)
- loader-utils: Regular expression denial of service (CVE-2022-37603)
- golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Logging Subsystem for Red Hat OpenShift 5 x86_64
-
Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 ppc64le
-
Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 s390x
-
Logging Subsystem for Red Hat OpenShift for ARM 64 5 aarch64
Fixes
-
BZ - 2064698
- CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
-
BZ - 2113814
- CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
-
BZ - 2124669
- CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
-
BZ - 2132867
- CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
-
BZ - 2132868
- CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
-
BZ - 2132872
- CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
-
BZ - 2135244
- CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
-
BZ - 2135247
- CVE-2022-42004 jackson-databind: use of deeply nested arrays
-
BZ - 2140597
- CVE-2022-37603 loader-utils:Regular expression denial of service
-
LOG-2860
- Error on LokiStack Components when forwarding logs to Loki on proxy cluster
-
LOG-3131
- vector: kube API server certificate validation failure due to hostname mismatch
-
LOG-3222
- [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
-
LOG-3226
- FluentdQueueLengthIncreasing rule failing to be evaluated.
-
LOG-3284
- [release-5.5][Vector] logs parsed into structured when json is set without structured types.
-
LOG-3287
- [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value
-
LOG-3301
- [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed
-
LOG-3305
- [release-5.5] Kibana Authentication Exception cookie issue
-
LOG-3310
- [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console
-
LOG-3332
- [release-5.5] Reconcile error on controller when creating LokiStack with tls config