-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Logging bug fix and security update (5.2.8)
Advisory ID:       RHSA-2022:0728-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0728
Issue date:        2022-03-02
CVE Names:         CVE-2020-28491 CVE-2022-0552 
====================================================================
1. Summary:

OpenShift Logging bug fix and security update (5.2.8)

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Logging bug fix and security update (5.2.8)

Security Fix(es):

* jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception (CVE-2020-28491)

* origin-aggregated-logging/elasticsearch: Incomplete fix for
netty-codec-http CVE-2021-21409 (CVE-2022-0552)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.8 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

For Red Hat OpenShift Logging 5.2, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1930423 - CVE-2020-28491 jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
2052539 - CVE-2022-0552 origin-aggregated-logging/elasticsearch: Incomplete fix for netty-codec-http CVE-2021-21409

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2180 - Logging link is not removed when CLO is uninstalled or its instance is removed

6. References:

https://access.redhat.com/security/cve/CVE-2020-28491
https://access.redhat.com/security/cve/CVE-2022-0552
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYh+XzdzjgjWX9erEAQi0Pw//WJzJRTcWyl/UsQ+oS/7AHPR/kIDkPbR4
AX+AbUXO4AEirXvf911Z5ZdwJw8UrYRdnnMAZItCmisNUPZZ9ybi7AIR3b3HQlwl
EKZOvhdt1YwGfGwIL6mjLeAVoxcBAlkE1LvFAcC18aVNDWeSCWxwZOpUzvTPLVuR
2ljs3hvp6YNHnX4EH2eDpE6ylhruBXY2FXeA+SyWg4TU5q1Hg0WsJE4Z0x7YxWUe
RvPBxZ4xBibyxKxBh47zQLp01aQyz4OTQsC3abMyaWd/jN3vZEFHE0N9UqmdLaMn
XOxA9actMytEcBEfbrTPE1FjlDidvpf+tged99a1Aw5yJdZNydx8WFW5gpIoX2Ix
x4QW68dFpImHLtOS6VB9GChQJQXombsDtf8UPssf7iojpkx40Ikk6Eov+x0K78L8
OOWYXEL37xuP4n26RydUEu09H5vfE9gXDDK6vIfFLDu+55+FQpDLn0JAecgMETx6
NxYzrqJGuZjD1ZP46YDpa/XS/2hc9ueo1G8ydwYyT3DabYXqIjA+wcaMJ0BK7471
hFRgZXMHuG8ziGKgONqeZLXi7NBfCwQr8/olnCe+27NRJGQcrRFggDDnjFnhtjgS
PUzfRhUHhS9uNy6Ih7QB+bNGi3t8nUC9pvJ2is9N9ueG3qIw/KWGuDORqBHSEy/R
8hb6hi3wY5g=MXFM
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-0728:01 Moderate: OpenShift Logging bug fix and security

OpenShift Logging bug fix and security update (5.2.8) Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

OpenShift Logging bug fix and security update (5.2.8)
Security Fix(es):
* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)
* origin-aggregated-logging/elasticsearch: Incomplete fix for netty-codec-http CVE-2021-21409 (CVE-2022-0552)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:
https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html
For Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:
https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html

References

https://access.redhat.com/security/cve/CVE-2020-28491 https://access.redhat.com/security/cve/CVE-2022-0552 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2022:0728-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0728
Issued Date: : 2022-03-02
CVE Names: CVE-2020-28491 CVE-2022-0552

Topic

OpenShift Logging bug fix and security update (5.2.8)Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception

2052539 - CVE-2022-0552 origin-aggregated-logging/elasticsearch: Incomplete fix for netty-codec-http CVE-2021-21409

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2180 - Logging link is not removed when CLO is uninstalled or its instance is removed


Related News

28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for
4.Lock AbstractDigital Esm H320
2 - 3 min read
Canonical , the company behind Ubuntu , has introduced Netplan 1.0 , a network configuration tool that simplifies networking configuration on Linux

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved