Red Hat 9062 Published by

A Service Telemetry Framework 1.5 security update has been released.



RHSA-2023:1529-01: Moderate: Service Telemetry Framework 1.5 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Service Telemetry Framework 1.5 security update
Advisory ID: RHSA-2023:1529-01
Product: Red Hat OpenStack Platform
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:1529
Issue date: 2023-03-30
CVE Names: CVE-2022-1705 CVE-2022-23772 CVE-2022-23773
CVE-2022-23806 CVE-2022-24675 CVE-2022-27664
CVE-2022-28327 CVE-2022-29526 CVE-2022-30629
CVE-2022-30630 CVE-2022-30631 CVE-2022-30632
CVE-2022-32189 CVE-2022-41715 CVE-2022-41717
=====================================================================

1. Summary:

An update is now available for Service Telemetry Framework 1.5.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Service Telemetry Framework (STF) provides automated collection of
measurements and data from remote clients, such as Red Hat OpenStack
Platform or third-party nodes. STF then transmits the information to a
centralized, receiving Red Hat OpenShift Container Platform (OCP)
deployment for storage, retrieval, and monitoring.

Security Fix(es):

* golang: crypto/elliptic: IsOnCurve returns true for invalid field
elements (CVE-2022-23806)

* golang: math/big: uncontrolled memory consumption due to an unhandled
overflow via Rat.SetString (CVE-2022-23772)

* golang: cmd/go: misinterpretation of branch names can lead to incorrect
access control (CVE-2022-23773)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

* golang: syscall: faccessat checks wrong group (CVE-2022-29526)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)

* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

The Service Telemetry Framework container image provided by this update can
be downloaded from the Red Hat Container Registry at
registry.access.redhat.com. Installation instructions for your platform are
available at Red Hat Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image
specifically, or to the latest image generally.

4. Bugs fixed (  https://bugzilla.redhat.com/):

2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements
2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString
2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
2092544 - [RFE] Expose certificate duration in Certificate object for Interconnect
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
2176537 - [STF 1.5] Release delivery of STF 1.5.1

5. References:

  https://access.redhat.com/security/cve/CVE-2022-1705
  https://access.redhat.com/security/cve/CVE-2022-23772
  https://access.redhat.com/security/cve/CVE-2022-23773
  https://access.redhat.com/security/cve/CVE-2022-23806
  https://access.redhat.com/security/cve/CVE-2022-24675
  https://access.redhat.com/security/cve/CVE-2022-27664
  https://access.redhat.com/security/cve/CVE-2022-28327
  https://access.redhat.com/security/cve/CVE-2022-29526
  https://access.redhat.com/security/cve/CVE-2022-30629
  https://access.redhat.com/security/cve/CVE-2022-30630
  https://access.redhat.com/security/cve/CVE-2022-30631
  https://access.redhat.com/security/cve/CVE-2022-30632
  https://access.redhat.com/security/cve/CVE-2022-32189
  https://access.redhat.com/security/cve/CVE-2022-41715
  https://access.redhat.com/security/cve/CVE-2022-41717
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.