-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Logging Subsystem 5.5.0 - Red Hat OpenShift security update
Advisory ID:       RHSA-2022:6051-01
Product:           RHOL
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6051
Issue date:        2022-08-18
CVE Names:         CVE-2021-38561 CVE-2022-0759 CVE-2022-1012 
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-1785 
                   CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 
                   CVE-2022-2097 CVE-2022-21698 CVE-2022-30631 
                   CVE-2022-32250 
====================================================================
1. Summary:

An update is now available for RHOL-5.5-RHEL-8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.0 - Red Hat OpenShift

Security Fix(es):

* kubeclient: kubeconfig parsing error can lead to MITM attacks
(CVE-2022-0759)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)

* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-1415 - Allow users to tune fluentd
LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `
LOG-1713 - Reduce Permissions granted for prometheus-k8s service account
LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created.
LOG-2134 - The infra logs are sent to app-xx indices
LOG-2159 - Cluster Logging Pods in CrashLoopBackOff
LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages.
LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL
LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext. 
LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not  be collected.
LOG-2242 - Log file metric exporter is still following /var/log/containers files.
LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed
LOG-2264 - Logging link should contain an icon
LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them.
LOG-2276 - Fluent config format is hard to read via configmap
LOG-2290 - ClusterLogging Instance status in not getting updated in UI
LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1
LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint. 
LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch
LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck
LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously
LOG-2333 - Journal logs not reaching Elasticsearch output
LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record. 
LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"
LOG-2384 - Provide a method to get authenticated from GCP 
LOG-2411 - [Vector] Audit logs forwarding not working.
LOG-2412 - CLO's loki output url is parsed wrongly
LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type
LOG-2418 - EO supported time units don't match the units specified in CRDs.
LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong 
LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift
LOG-2444 - The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`.
LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster.
LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack. 
LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices
LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]
LOG-2522 - CLO supported time units don't match the units specified in CRDs.
LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready.
LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster
LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector.
LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data
LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated.
LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate
LOG-2599 - Supported values for level field don't match documentation
LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert
LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect
LOG-2619 - containers violate PodSecurity -- Log Exporation
LOG-2627 - containers violate PodSecurity -- Loki
LOG-2649 - Level Critical should match the beginning of the line as the other levels
LOG-2656 - Logging uses deprecated v1beta1 apis
LOG-2664 - Deprecated Feature logs causing too much noise
LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster
LOG-2693 - Integration with Jaeger fails for ServiceMonitor
LOG-2700 - [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" .
LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance
LOG-2725 - Upgrade logging-eventrouter Golang  version and tags
LOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging.
LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration
LOG-2742 - unrecognized outputs when use the sts role secret
LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs
LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.
LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo
LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack.
LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image
LOG-2765 - ingester pod can not be started in IPv6 cluster 
LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy
LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx
LOG-2773 - No cluster-logging-operator-metrics  service in logging 5.5
LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.
LOG-2784 - Japanese log messages are garbled at Kibana
LOG-2793 - [Vector] OVN audit logs are missing the level field.
LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF
LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF.
LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector.
LOG-2875 - Seeing a black rectangle box on the graph in Logs view
LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error
LOG-2877 - When there is no query entered, seeing error message on the Logs view
LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2022-0759
https://access.redhat.com/security/cve/CVE-2022-1012
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32250
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYv5/w9zjgjWX9erEAQhRBBAAiZe24VtCQruCG/MvGEOowBvHf/YNANlR
N6WAw2VezEfvFkG7z599MWZVWz2jnZO6cn9i+CoNDanAmItPJ8ljK4sitrP2ywrG
OKwqIa4DPrywFFTSMxemB604ewE0cvXifuqG5bQDn+GvndiV/u/XaVTYZseY1P5X
8ZIJ20cxROOE9pg0/3eya27edZxDrgWx6BtzSEZw47ReV3Dogqy+KzRCAAoN+pE5
g2t/E0u0Ypmjil9Ttsop/ejUg/iz8UTGtua4m1nzhZrsoE84p5xIgvCEkYlh3OrD
tfawpj1r9Avcjk4zbZkAe/enSQZQv0iWD792SoP7/ddX5tIu05ArvPWj/NvN/rI4
dFzMe2UmezuS2EQpzaWOug2xSQUbR1hI+Y4cy0YOHuwzeaMeoHSbNYTJmOxKR0v1
44a9oSBku+Xfk8nUNqS+9oq0z3DlAWt2BjbfrJCbSjZQdOUOIGM95L3ClrXY9LYF
PT5v+h2W4myonj6HVhkv+Wy7aRbYQ7Qhk/3AaN7Dz5soBSNK4exvOzWXGuf/BdSf
XFef6O87ipZveHQYmTfH+t8aJV1plEVTrm8pyz2EfzCv1Fnhjn0rvbGZAFBlvqW+
vhxoj505RQBBhcno16V1zczdd8KsiqY7aZniTuh2DQAVvNhqsHgn8rvQ7HJlExun
eIFVKOxx310=ynB/
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6051:01 Important: Logging Subsystem 5.5.0 - Red Hat

An update is now available for RHOL-5.5-RHEL-8

Summary

Logging Subsystem 5.5.0 - Red Hat OpenShift
Security Fix(es):
* kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)
* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2022-0759 https://access.redhat.com/security/cve/CVE-2022-1012 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32250 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2022:6051-01
Product: RHOL
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6051
Issued Date: : 2022-08-18
CVE Names: CVE-2021-38561 CVE-2022-0759 CVE-2022-1012 CVE-2022-1292 CVE-2022-1586 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-21698 CVE-2022-30631 CVE-2022-32250

Topic

An update is now available for RHOL-5.5-RHEL-8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter

2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-1415 - Allow users to tune fluentd

LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `

LOG-1713 - Reduce Permissions granted for prometheus-k8s service account

LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created.

LOG-2134 - The infra logs are sent to app-xx indices

LOG-2159 - Cluster Logging Pods in CrashLoopBackOff

LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages.

LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL

LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext.

LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not be collected.

LOG-2242 - Log file metric exporter is still following /var/log/containers files.

LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed

LOG-2264 - Logging link should contain an icon

LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them.

LOG-2276 - Fluent config format is hard to read via configmap

LOG-2290 - ClusterLogging Instance status in not getting updated in UI

LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1

LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint.

LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch

LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck

LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously

LOG-2333 - Journal logs not reaching Elasticsearch output

LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record.

LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"

LOG-2384 - Provide a method to get authenticated from GCP

LOG-2411 - [Vector] Audit logs forwarding not working.

LOG-2412 - CLO's loki output url is parsed wrongly

LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type

LOG-2418 - EO supported time units don't match the units specified in CRDs.

LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong

LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift

LOG-2444 - The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`.

LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster.

LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack.

LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices

LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]

LOG-2522 - CLO supported time units don't match the units specified in CRDs.

LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready.

LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster

LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector.

LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data

LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated.

LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate

LOG-2599 - Supported values for level field don't match documentation

LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert

LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect

LOG-2619 - containers violate PodSecurity -- Log Exporation

LOG-2627 - containers violate PodSecurity -- Loki

LOG-2649 - Level Critical should match the beginning of the line as the other levels

LOG-2656 - Logging uses deprecated v1beta1 apis

LOG-2664 - Deprecated Feature logs causing too much noise

LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster

LOG-2693 - Integration with Jaeger fails for ServiceMonitor

LOG-2700 - [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" .

LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance

LOG-2725 - Upgrade logging-eventrouter Golang version and tags

LOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging.

LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration

LOG-2742 - unrecognized outputs when use the sts role secret

LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs

LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.

LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo

LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack.

LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image

LOG-2765 - ingester pod can not be started in IPv6 cluster

LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy

LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx

LOG-2773 - No cluster-logging-operator-metrics service in logging 5.5

LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.

LOG-2784 - Japanese log messages are garbled at Kibana

LOG-2793 - [Vector] OVN audit logs are missing the level field.

LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF

LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF.

LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector.

LOG-2875 - Seeing a black rectangle box on the graph in Logs view

LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error

LOG-2877 - When there is no query entered, seeing error message on the Logs view

LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved