—–BEGIN PGP SIGNED MESSAGE—–
\nHash: SHA256<\/p>\n
=====================================================================
\nRed Hat Security Advisory<\/p>\n
Synopsis: Moderate: Logging Subsystem 5.5.5 – Red Hat OpenShift security update
\nAdvisory ID: RHSA-2022:8781-01
\nProduct: Logging Subsystem for Red Hat OpenShift
\nAdvisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:8781
\nIssue date: 2022-12-08
\nCVE Names: CVE-2016-3709 CVE-2020-35525 CVE-2020-35527
\nCVE-2020-36516 CVE-2020-36518 CVE-2020-36558
\nCVE-2021-3640 CVE-2021-30002 CVE-2022-0168
\nCVE-2022-0561 CVE-2022-0562 CVE-2022-0617
\nCVE-2022-0854 CVE-2022-0865 CVE-2022-0891
\nCVE-2022-0908 CVE-2022-0909 CVE-2022-0924
\nCVE-2022-1016 CVE-2022-1048 CVE-2022-1055
\nCVE-2022-1184 CVE-2022-1292 CVE-2022-1304
\nCVE-2022-1355 CVE-2022-1586 CVE-2022-1785
\nCVE-2022-1852 CVE-2022-1897 CVE-2022-1927
\nCVE-2022-2068 CVE-2022-2078 CVE-2022-2097
\nCVE-2022-2509 CVE-2022-2586 CVE-2022-2639
\nCVE-2022-2879 CVE-2022-2880 CVE-2022-2938
\nCVE-2022-3515 CVE-2022-20368 CVE-2022-21499
\nCVE-2022-21618 CVE-2022-21619 CVE-2022-21624
\nCVE-2022-21626 CVE-2022-21628 CVE-2022-22624
\nCVE-2022-22628 CVE-2022-22629 CVE-2022-22662
\nCVE-2022-22844 CVE-2022-23960 CVE-2022-24448
\nCVE-2022-25255 CVE-2022-26373 CVE-2022-26700
\nCVE-2022-26709 CVE-2022-26710 CVE-2022-26716
\nCVE-2022-26717 CVE-2022-26719 CVE-2022-27404
\nCVE-2022-27405 CVE-2022-27406 CVE-2022-27664
\nCVE-2022-27950 CVE-2022-28390 CVE-2022-28893
\nCVE-2022-29581 CVE-2022-30293 CVE-2022-32189
\nCVE-2022-34903 CVE-2022-36946 CVE-2022-37434
\nCVE-2022-37603 CVE-2022-39399 CVE-2022-41715
\nCVE-2022-42003 CVE-2022-42004
\n=====================================================================<\/p>\n
1. Summary:<\/p>\n
Logging Subsystem 5.5.5 – Red Hat OpenShift<\/p>\n
Red Hat Product Security has rated this update as having a security impact
\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
\ngives a detailed severity rating, is available for each vulnerability from
\nthe CVE link(s) in the References section.<\/p>\n
2. Description:<\/p>\n
Logging Subsystem 5.5.5 – Red Hat OpenShift<\/p>\n
Security Fixe(s):<\/p>\n
* jackson-databind: denial of service via a large depth of nested
\nobjects (CVE-2020-36518)<\/p>\n
* golang: net\/http: handle server errors after sending GOAWAY
\n(CVE-2022-27664)<\/p>\n
* golang: archive\/tar: unbounded memory consumption when reading headers
\n(CVE-2022-2879, CVE-2022-2880, CVE-2022-41715)<\/p>\n
* jackson-databind: deep wrapper array nesting wrt
\nUNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)<\/p>\n
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)<\/p>\n
* loader-utils: Regular expression denial of service (CVE-2022-37603)<\/p>\n
* golang: math\/big: decoding big.Float and big.Rat types can panic if the
\nencoded message is too short, potentially allowing a denial of service
\n(CVE-2022-32189)<\/p>\n
For more details about the security issue(s), including the impact, a CVSS
\nscore, acknowledgments, and other related information, refer to the CVE
\npage(s) listed in the References section.<\/p>\n
3. Solution:<\/p>\n
For OpenShift Container Platform 4.11 see the following documentation,
\nwhich will be updated shortly for this release, for important instructions
\non how to upgrade your cluster and fully apply this errata update:<\/p>\n
https:\/\/docs.openshift.com\/container-platform\/4.11\/release_notes\/ocp-4-11-release-notes.html<\/p>\n
For Red Hat OpenShift Logging 5.5, see the following instructions to apply
\nthis update:<\/p>\n
https:\/\/docs.openshift.com\/container-platform\/4.11\/logging\/cluster-logging-upgrading.html<\/p>\n
4. Bugs fixed (https:\/\/bugzilla.redhat.com\/):<\/p>\n
2064698 – CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
\n2113814 – CVE-2022-32189 golang: math\/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
\n2124669 – CVE-2022-27664 golang: net\/http: handle server errors after sending GOAWAY
\n2132867 – CVE-2022-2879 golang: archive\/tar: unbounded memory consumption when reading headers
\n2132868 – CVE-2022-2880 golang: net\/http\/httputil: ReverseProxy should not forward unparseable query parameters
\n2132872 – CVE-2022-41715 golang: regexp\/syntax: limit memory used by parsing regexps
\n2135244 – CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
\n2135247 – CVE-2022-42004 jackson-databind: use of deeply nested arrays
\n2140597 – CVE-2022-37603 loader-utils:Regular expression denial of service<\/p>\n
5. JIRA issues fixed (https:\/\/issues.jboss.org\/):<\/p>\n
LOG-2860 – Error on LokiStack Components when forwarding logs to Loki on proxy cluster
\nLOG-3131 – vector: kube API server certificate validation failure due to hostname mismatch
\nLOG-3222 – [release-5.5] fluentd plugin for kafka ca-bundle secret doesn’t support multiple CAs
\nLOG-3226 – FluentdQueueLengthIncreasing rule failing to be evaluated.
\nLOG-3284 – [release-5.5][Vector] logs parsed into structured when json is set without structured types.
\nLOG-3287 – [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value
\nLOG-3301 – [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed
\nLOG-3305 – [release-5.5] Kibana Authentication Exception cookie issue
\nLOG-3310 – [release-5.5] Can’t choose correct CA ConfigMap Key when creating lokistack in Console
\nLOG-3332 – [release-5.5] Reconcile error on controller when creating LokiStack with tls config<\/p>\n
6. References:<\/p>\n
https:\/\/access.redhat.com\/security\/cve\/CVE-2016-3709
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-35525
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-35527
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-36516
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-36518
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-36558
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-3640
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-30002
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0168
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0561
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0562
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0617
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0854
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0865
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0891
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0908
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0909
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0924
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1016
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1048
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1055
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1184
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1292
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1304
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1355
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1586
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1785
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1852
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1897
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1927
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2068
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2078
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2097
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2509
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2586
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2639
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2879
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2880
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2938
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-3515
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-20368
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-21499
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-21618
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-21619
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-21624
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-21626
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-21628
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-22624
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-22628
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-22629
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-22662
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-22844
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-23960
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-24448
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-25255
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-26373
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-26700
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-26709
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-26710
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-26716
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-26717
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-26719
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-27404
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-27405
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-27406
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-27664
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-27950
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-28390
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-28893
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-29581
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-30293
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-32189
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-34903
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-36946
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-37434
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-37603
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-39399
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-41715
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-42003
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-42004
\nhttps:\/\/access.redhat.com\/security\/updates\/classification\/#moderate<\/p>\n
7. Contact:<\/p>\n
The Red Hat security contact is <secalert@redhat.com>. More contact
\ndetails at https:\/\/access.redhat.com\/security\/team\/contact\/<\/p>\n
Copyright 2022 Red Hat, Inc.
\n—–BEGIN PGP SIGNATURE—–
\nVersion: GnuPG v1<\/p>\n
iQIVAwUBY5G9q9zjgjWX9erEAQgdfBAApTzFp8Tp32Bv5jN1EnhSqzcQ93cUa2Nr
\not9YGh2Dzqr0lzAP2uf1O61EEYq9mte6X4DckjUDo7BT7u5ZZxMWWSstpNbFUzXl
\n4xs393yEZM52DN174XOP5V7GUG0pyNlEqHYMGjdZF6pzIx2zzF300kAjB4Hpg4wK
\nkKUDVnIyHlvlNcsvjms4p1rzAsIns4c73W89KVkwMyo1pvPQt6v34BWZg5DNnYAM
\nhTzl0JR5XRYW4aZhIMq7FApvh4GeA7n7L0kmnDHFVcx0cnrHrjHZxmRQX0Gai1bc
\nr8MvGvbMTqEAZ4VKKrgNVvVzkdrO4dw20JfbskPgTIbFXH6ns5605b31veRhMYmv
\nNCSJUbq4BLYVAZEhmLa0QIqru1WVCB1e2eRUhvehLiuVlAkgmIgtKvECZ3kpQHxj
\nDvOdnaWC5R9eKtNlX9N1xOtqgOF2w+\/M+5ml5RJgq48Wlb41VpypDIKFBUXh+wR9
\nArrG8kao75Hl0t8\/YQMouqDvgJLNgfceF+WETYryfDus9OlB4YMxhI88mx7HH9zu
\nHy4rb7RhF1OcH\/kWjmMl\/YJQpYSFKJDyls3tAx5ZAWGCpwAzoBZoc9BEKUQwVfnW
\nf3PFotJeQdxKBsbqKVF5h0gHcfSUP+P0kQhx1GD51kxJkUmq47m3OZKIe1QLwYgm
\nT1GSDHkQTcg=
\n=y\/FA
\n—–END PGP SIGNATURE—–
\n—
\nRHSA-announce mailing list
\nRHSA-announce@redhat.com
\nhttps:\/\/listman.redhat.com\/mailman\/listinfo\/rhsa-announce<\/p>\n","protected":false},"excerpt":{"rendered":"
—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Logging Subsystem 5.5.5 – Red Hat OpenShift security update Advisory ID: RHSA-2022:8781-01 Product: Logging Subsystem for Red Hat OpenShift Advisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:8781 Issue date: 2022-12-08 CVE Names: CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 CVE-2020-36516 CVE-2020-36518 CVE-2020-36558 CVE-2021-3640 CVE-2021-30002 CVE-2022-0168 CVE-2022-0561 CVE-2022-0562 CVE-2022-0617 CVE-2022-0854 CVE-2022-0865 CVE-2022-0891 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34529","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34529"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34529\/revisions"}],"predecessor-version":[{"id":34684,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34529\/revisions\/34684"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}