A Red Hat OpenShift security update has been released.

RHSA-2022:8781-01: Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update
Advisory ID: RHSA-2022:8781-01
Product: Logging Subsystem for Red Hat OpenShift
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:8781
Issue date: 2022-12-08
CVE Names: CVE-2016-3709 CVE-2020-35525 CVE-2020-35527
CVE-2020-36516 CVE-2020-36518 CVE-2020-36558
CVE-2021-3640 CVE-2021-30002 CVE-2022-0168
CVE-2022-0561 CVE-2022-0562 CVE-2022-0617
CVE-2022-0854 CVE-2022-0865 CVE-2022-0891
CVE-2022-0908 CVE-2022-0909 CVE-2022-0924
CVE-2022-1016 CVE-2022-1048 CVE-2022-1055
CVE-2022-1184 CVE-2022-1292 CVE-2022-1304
CVE-2022-1355 CVE-2022-1586 CVE-2022-1785
CVE-2022-1852 CVE-2022-1897 CVE-2022-1927
CVE-2022-2068 CVE-2022-2078 CVE-2022-2097
CVE-2022-2509 CVE-2022-2586 CVE-2022-2639
CVE-2022-2879 CVE-2022-2880 CVE-2022-2938
CVE-2022-3515 CVE-2022-20368 CVE-2022-21499
CVE-2022-21618 CVE-2022-21619 CVE-2022-21624
CVE-2022-21626 CVE-2022-21628 CVE-2022-22624
CVE-2022-22628 CVE-2022-22629 CVE-2022-22662
CVE-2022-22844 CVE-2022-23960 CVE-2022-24448
CVE-2022-25255 CVE-2022-26373 CVE-2022-26700
CVE-2022-26709 CVE-2022-26710 CVE-2022-26716
CVE-2022-26717 CVE-2022-26719 CVE-2022-27404
CVE-2022-27405 CVE-2022-27406 CVE-2022-27664
CVE-2022-27950 CVE-2022-28390 CVE-2022-28893
CVE-2022-29581 CVE-2022-30293 CVE-2022-32189
CVE-2022-34903 CVE-2022-36946 CVE-2022-37434
CVE-2022-37603 CVE-2022-39399 CVE-2022-41715
CVE-2022-42003 CVE-2022-42004
=====================================================================

1. Summary:

Logging Subsystem 5.5.5 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.5 - Red Hat OpenShift

Security Fixe(s):

* jackson-databind: denial of service via a large depth of nested
objects (CVE-2020-36518)

* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)

* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879, CVE-2022-2880, CVE-2022-41715)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* loader-utils: Regular expression denial of service (CVE-2022-37603)

* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this errata update:

  https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

For Red Hat OpenShift Logging 5.5, see the following instructions to apply
this update:

  https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service

5. JIRA issues fixed (  https://issues.jboss.org/):

LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster
LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch
LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs
LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated.
LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types.
LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value
LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed
LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue
LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console
LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config

6. References:

  https://access.redhat.com/security/cve/CVE-2016-3709
  https://access.redhat.com/security/cve/CVE-2020-35525
  https://access.redhat.com/security/cve/CVE-2020-35527
  https://access.redhat.com/security/cve/CVE-2020-36516
  https://access.redhat.com/security/cve/CVE-2020-36518
  https://access.redhat.com/security/cve/CVE-2020-36558
  https://access.redhat.com/security/cve/CVE-2021-3640
  https://access.redhat.com/security/cve/CVE-2021-30002
  https://access.redhat.com/security/cve/CVE-2022-0168
  https://access.redhat.com/security/cve/CVE-2022-0561
  https://access.redhat.com/security/cve/CVE-2022-0562
  https://access.redhat.com/security/cve/CVE-2022-0617
  https://access.redhat.com/security/cve/CVE-2022-0854
  https://access.redhat.com/security/cve/CVE-2022-0865
  https://access.redhat.com/security/cve/CVE-2022-0891
  https://access.redhat.com/security/cve/CVE-2022-0908
  https://access.redhat.com/security/cve/CVE-2022-0909
  https://access.redhat.com/security/cve/CVE-2022-0924
  https://access.redhat.com/security/cve/CVE-2022-1016
  https://access.redhat.com/security/cve/CVE-2022-1048
  https://access.redhat.com/security/cve/CVE-2022-1055
  https://access.redhat.com/security/cve/CVE-2022-1184
  https://access.redhat.com/security/cve/CVE-2022-1292
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-1355
  https://access.redhat.com/security/cve/CVE-2022-1586
  https://access.redhat.com/security/cve/CVE-2022-1785
  https://access.redhat.com/security/cve/CVE-2022-1852
  https://access.redhat.com/security/cve/CVE-2022-1897
  https://access.redhat.com/security/cve/CVE-2022-1927
  https://access.redhat.com/security/cve/CVE-2022-2068
  https://access.redhat.com/security/cve/CVE-2022-2078
  https://access.redhat.com/security/cve/CVE-2022-2097
  https://access.redhat.com/security/cve/CVE-2022-2509
  https://access.redhat.com/security/cve/CVE-2022-2586
  https://access.redhat.com/security/cve/CVE-2022-2639
  https://access.redhat.com/security/cve/CVE-2022-2879
  https://access.redhat.com/security/cve/CVE-2022-2880
  https://access.redhat.com/security/cve/CVE-2022-2938
  https://access.redhat.com/security/cve/CVE-2022-3515
  https://access.redhat.com/security/cve/CVE-2022-20368
  https://access.redhat.com/security/cve/CVE-2022-21499
  https://access.redhat.com/security/cve/CVE-2022-21618
  https://access.redhat.com/security/cve/CVE-2022-21619
  https://access.redhat.com/security/cve/CVE-2022-21624
  https://access.redhat.com/security/cve/CVE-2022-21626
  https://access.redhat.com/security/cve/CVE-2022-21628
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-22844
  https://access.redhat.com/security/cve/CVE-2022-23960
  https://access.redhat.com/security/cve/CVE-2022-24448
  https://access.redhat.com/security/cve/CVE-2022-25255
  https://access.redhat.com/security/cve/CVE-2022-26373
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27404
  https://access.redhat.com/security/cve/CVE-2022-27405
  https://access.redhat.com/security/cve/CVE-2022-27406
  https://access.redhat.com/security/cve/CVE-2022-27664
  https://access.redhat.com/security/cve/CVE-2022-27950
  https://access.redhat.com/security/cve/CVE-2022-28390
  https://access.redhat.com/security/cve/CVE-2022-28893
  https://access.redhat.com/security/cve/CVE-2022-29581
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-32189
  https://access.redhat.com/security/cve/CVE-2022-34903
  https://access.redhat.com/security/cve/CVE-2022-36946
  https://access.redhat.com/security/cve/CVE-2022-37434
  https://access.redhat.com/security/cve/CVE-2022-37603
  https://access.redhat.com/security/cve/CVE-2022-39399
  https://access.redhat.com/security/cve/CVE-2022-41715
  https://access.redhat.com/security/cve/CVE-2022-42003
  https://access.redhat.com/security/cve/CVE-2022-42004
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.