Moderate: Red Hat OpenShift (Logging Subsystem) security update

Topic

An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Logging Subsystem 5.6.0 - Red Hat OpenShift

• logging-view-plugin-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601)
• logging-elasticsearch6-container: jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
• logging-loki-container: various flaws (CVE-2022-2879 CVE-2022-2880 CVE-2022-41715)
• logging-loki-container: golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
• golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
• org.elasticsearch-elasticsearch: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
• org.elasticsearch-elasticsearch: jackson-databind: use of deeply nested arrays (CVE-2022-42004)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Logging Subsystem for Red Hat OpenShift 5 x86_64
• Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 ppc64le
• Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 s390x
• Logging Subsystem for Red Hat OpenShift for ARM 64 5 aarch64

Fixes

• BZ - 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
• BZ - 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
• BZ - 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
• BZ - 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
• LOG-2843 - tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls
• LOG-2217 - [Vector] Loss of logs when using Vector as collector.
• LOG-2620 - containers violate PodSecurity -- Core
• LOG-2819 - the `.level` field they are getting the "ERROR" but in `.structure.level` field they are getting "INFO"
• LOG-2822 - Evaluating rule failure in LokiRuler pods for Alerting and recording rules
• LOG-2919 - CLO is constantly failing to create already existing logging objects (HTTP 409)
• LOG-2962 - Add the `version` file to Must-Gather archive
• LOG-2993 - consoleexternalloglinks.console.openshift.io/kibana should be removed once Kibana is deleted
• LOG-3072 - Non-admin user with 'view' role can't see any logs in 'Logs' view
• LOG-3090 - Custom outputs defined in ClusterLogForwarder overwritten when using LokiStack as default log storage
• LOG-3129 - Kibana Authentication Exception cookie issue
• LOG-3157 - Resources associated with collector / fluentd keep on getting recreated
• LOG-3161 - the content of secret elasticsearch-metrics-token is recreated continually
• LOG-3168 - Ruler pod throwing 'failed loading deletes for user' error after alerting/recording rules are created
• LOG-3169 - Unable to install Loki operator from upstream repo on OCP 4.12
• LOG-3180 - fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
• LOG-3186 - [Loki] unable to determine tls profile settings when creating a LokiStack instance with custom global tlsSecurityProfile config
• LOG-3194 - Collector pod violates PodSecurity "restricted:v1.24" when using lokistack as the default log store in OCP 4.12.
• LOG-3195 - [Vector] logs parsed into structured when json is set without structured types.
• LOG-3208 - must-gather is empty for logging with CLO image
• LOG-3224 - Can't forward logs to non-clusterlogging managed ES using vector.
• LOG-3235 - cluster-logging.5.5.3 failing to deploy on ROSA
• LOG-3286 - LokiStack doesn't reconcile to use the changed tlsSecurityProfile set in the global config.
• LOG-3292 - Loki Controller manager in CrashLoop due to failure to list *v1.Proxy
• LOG-3296 - Cannot use default Replication Factor for shirt size
• LOG-3309 - Can't choose correct CA ConfigMap Key when creating lokistack in Console
• LOG-3324 - [vector] the key_pass should be text in vector.toml when forward log to splunk
• LOG-3331 - [release-5.6] Reconcile error on controller when creating LokiStack with tls config
• LOG-3446 - [must-gather] oc adm must-gather execution hangs indefinitely when collecting information for Cluster Logging.

CVEs

• CVE-2020-36518
• CVE-2022-2879
• CVE-2022-2880
• CVE-2022-27664
• CVE-2022-32190
• CVE-2022-37601
• CVE-2022-41715
• CVE-2022-42003
• CVE-2022-42004

References

• https://access.redhat.com/security/updates/classification/#moderate