Red Hat 9037 Published by

An Openshift Logging Bug Fix Release (5.0.3) has been released.



RHSA-2021:1515-01: Important: Openshift Logging Bug Fix Release (5.0.3)



=====================================================================
Red Hat Security Advisory

Synopsis: Important: Openshift Logging Bug Fix Release (5.0.3)
Advisory ID: RHSA-2021:1515-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:1515
Issue date: 2021-05-06
CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720
CVE-2018-14721 CVE-2018-19360 CVE-2018-19361
CVE-2018-19362 CVE-2019-14379 CVE-2020-15586
CVE-2020-16845 CVE-2020-24750 CVE-2020-35490
CVE-2020-35491 CVE-2020-35728 CVE-2020-36179
CVE-2020-36180 CVE-2020-36181 CVE-2020-36182
CVE-2020-36183 CVE-2020-36184 CVE-2020-36185
CVE-2020-36186 CVE-2020-36187 CVE-2020-36188
CVE-2020-36189 CVE-2021-2163 CVE-2021-20190
=====================================================================

1. Summary:

Openshift Logging Bug Fix Release (5.0.3)
This release includes a security update.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Openshift Logging Bug Fix Release (5.0.3)

Security Fix(es):

* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)

* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)

* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)

* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)

* jackson-databind: improper polymorphic deserialization in
jboss-common-core class (CVE-2018-19362)

* jackson-databind: default typing mishandling leading to remote code
execution (CVE-2019-14379)

* jackson-databind: Serialization gadgets in
com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-35490)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.commons.dbcp2.datasources.SharedPoolDataSource (CVE-2020-35491)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
(CVE-2020-35728)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36179)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36180)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36181)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36182)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-36183)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource
(CVE-2020-36184)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource
(CVE-2020-36185)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource
(CVE-2020-36186)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
(CVE-2020-36187)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
(CVE-2020-36188)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourc
e (CVE-2020-36189)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to javax.swing (CVE-2021-20190)

* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
(CVE-2018-14721)

* golang: data race in certain net/http servers including ReverseProxy can
lead to DoS (CVE-2020-15586)

* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes
from invalid inputs (CVE-2020-16845)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this errata update:

  https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html

For Red Hat OpenShift Logging 5.0, see the following instructions to apply
this update:

  https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-u
pgrading.html

4. JIRA issues fixed (  https://issues.jboss.org/):

LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected
LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs.
LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4]
LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)"

5. References:

  https://access.redhat.com/security/cve/CVE-2018-14718
  https://access.redhat.com/security/cve/CVE-2018-14719
  https://access.redhat.com/security/cve/CVE-2018-14720
  https://access.redhat.com/security/cve/CVE-2018-14721
  https://access.redhat.com/security/cve/CVE-2018-19360
  https://access.redhat.com/security/cve/CVE-2018-19361
  https://access.redhat.com/security/cve/CVE-2018-19362
  https://access.redhat.com/security/cve/CVE-2019-14379
  https://access.redhat.com/security/cve/CVE-2020-15586
  https://access.redhat.com/security/cve/CVE-2020-16845
  https://access.redhat.com/security/cve/CVE-2020-24750
  https://access.redhat.com/security/cve/CVE-2020-35490
  https://access.redhat.com/security/cve/CVE-2020-35491
  https://access.redhat.com/security/cve/CVE-2020-35728
  https://access.redhat.com/security/cve/CVE-2020-36179
  https://access.redhat.com/security/cve/CVE-2020-36180
  https://access.redhat.com/security/cve/CVE-2020-36181
  https://access.redhat.com/security/cve/CVE-2020-36182
  https://access.redhat.com/security/cve/CVE-2020-36183
  https://access.redhat.com/security/cve/CVE-2020-36184
  https://access.redhat.com/security/cve/CVE-2020-36185
  https://access.redhat.com/security/cve/CVE-2020-36186
  https://access.redhat.com/security/cve/CVE-2020-36187
  https://access.redhat.com/security/cve/CVE-2020-36188
  https://access.redhat.com/security/cve/CVE-2020-36189
  https://access.redhat.com/security/cve/CVE-2021-2163
  https://access.redhat.com/security/cve/CVE-2021-20190
  https://access.redhat.com/security/updates/classification/#important
null

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.