-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Logging bug fix and security update (5.1.9)
Advisory ID:       RHSA-2022:0727-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0727
Issue date:        2022-03-01
CVE Names:         CVE-2020-28491 CVE-2022-0552 
====================================================================
1. Summary:

OpenShift Logging bug fix and security update (5.1.9)

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Logging bug fix and security update (5.1.9)

Security Fix(es):

* jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception (CVE-2020-28491)

* origin-aggregated-logging/elasticsearch: Incomplete fix for
netty-codec-http CVE-2021-21409 (CVE-2022-0552)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.8 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

For Red Hat OpenShift Logging 5.1, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1930423 - CVE-2020-28491 jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
2052539 - CVE-2022-0552 origin-aggregated-logging/elasticsearch: Incomplete fix for netty-codec-http CVE-2021-21409

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2181 - Logging link is not removed when CLO is uninstalled or its instance is removed

6. References:

https://access.redhat.com/security/cve/CVE-2020-28491
https://access.redhat.com/security/cve/CVE-2022-0552
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYh6altzjgjWX9erEAQjRPg//WbHeVQWkkSJt0czQiJI8BFyLoUagVw9k
paxGAnWrxKiwDCvhVqdjXMqnFH/7ToUO3cWPI4P9Bhw0XVp+yVZc6SWR1yvJq9zn
6kg8121gIhmvwZdUIOoOPOIx7rUB156zTr7Pl0G6bMDxsI9E3UwxSzKsA95OeK4A
H5VQ1NZ0E6azAqtJ6DxGcyhil/ySO8AumpSo3CqZ2DSMAp5qjTXm10llpWaCn7wh
xjteiyDYLklxNuJcdzFugYcdBjKEJQ9gf0LjsJ4ezyBv5aFuj8XOTdndP/5irMgf
MP5F+eYhVk0CJzjFFVpWsCk2mOAJFW4kVs5DZP+vkxJG8ZOdMpkghDmLsggWUCFz
dGHDxhO47S8Bv0WZOPqrTFfEdUUfanECpJ8gS0iclaUCxLtckLmqAoEN+98vQXqu
uxpSku+TWAO830yjhOz+gHTq9VzkVIu9LrJ6BnP+xVaA6/HYLdelVVmN9E5g6alB
ALwnec6+onMRE5YEGl9b+HgSf/OhBMEMmI6Kz7OoQFi2c2OJjJRw6JKVKKqBZXg6
y1sfu5S5AFgiJdTiOn5TR6ruHSeyNyYa8FeXK323QJgJj2ErRLrarEPksPT1Ps7k
Xv1L0YAicN4zwk1uo2A5naWeRJFmrXDyajm5u+DE8/nW7mnG24Cx4CRuN8N1wFJF
PdgA4tAMu2o=XHw6
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-0727:01 Moderate: OpenShift Logging bug fix and security

OpenShift Logging bug fix and security update (5.1.9) Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

OpenShift Logging bug fix and security update (5.1.9)
Security Fix(es):
* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)
* origin-aggregated-logging/elasticsearch: Incomplete fix for netty-codec-http CVE-2021-21409 (CVE-2022-0552)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:
https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html
For Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:
https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html

References

https://access.redhat.com/security/cve/CVE-2020-28491 https://access.redhat.com/security/cve/CVE-2022-0552 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2022:0727-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0727
Issued Date: : 2022-03-01
CVE Names: CVE-2020-28491 CVE-2022-0552

Topic

OpenShift Logging bug fix and security update (5.1.9)Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception

2052539 - CVE-2022-0552 origin-aggregated-logging/elasticsearch: Incomplete fix for netty-codec-http CVE-2021-21409

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2181 - Logging link is not removed when CLO is uninstalled or its instance is removed


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved