Issued:: 2022-12-08
Updated:: 2022-12-08

RHSA-2022:8781 - Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update

Synopsis

Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update

Type/Severity

Security Advisory Moderate

Topic

Logging Subsystem 5.5.5 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Logging Subsystem 5.5.5 - Red Hat OpenShift

Security Fixe(s):

jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879, CVE-2022-2880, CVE-2022-41715)
jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
jackson-databind: use of deeply nested arrays (CVE-2022-42004)
loader-utils: Regular expression denial of service (CVE-2022-37603)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

For Red Hat OpenShift Logging 5.5, see the following instructions to apply this update:

https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html

Affected Products

Product	Version	Arch
Logging Subsystem for Red Hat OpenShift	5	x86_64
Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE	5	s390x
Logging Subsystem for Red Hat OpenShift for IBM Power, little endian	5	ppc64le
Logging Subsystem for Red Hat OpenShift for ARM 64	5	aarch64

Fixes

CVEs

CVE-2016-3709
CVE-2020-35525
CVE-2020-35527
CVE-2020-36516
CVE-2020-36518
CVE-2020-36558
CVE-2021-3640
CVE-2021-30002
CVE-2022-0168
CVE-2022-0561
CVE-2022-0562
CVE-2022-0617
CVE-2022-0854
CVE-2022-0865
CVE-2022-0891
CVE-2022-0908
CVE-2022-0909
CVE-2022-0924
CVE-2022-1016
CVE-2022-1048
CVE-2022-1055
CVE-2022-1184
CVE-2022-1292
CVE-2022-1304
CVE-2022-1355
CVE-2022-1586
CVE-2022-1785
CVE-2022-1852
CVE-2022-1897
CVE-2022-1927
CVE-2022-2068
CVE-2022-2078
CVE-2022-2097
CVE-2022-2509
CVE-2022-2586
CVE-2022-2639
CVE-2022-2879
CVE-2022-2880
CVE-2022-2938
CVE-2022-3515
CVE-2022-20368
CVE-2022-21499
CVE-2022-21618
CVE-2022-21619
CVE-2022-21624
CVE-2022-21626
CVE-2022-21628
CVE-2022-22624
CVE-2022-22628
CVE-2022-22629
CVE-2022-22662
CVE-2022-22844
CVE-2022-23960
CVE-2022-24448
CVE-2022-25255
CVE-2022-26373
CVE-2022-26700
CVE-2022-26709
CVE-2022-26710
CVE-2022-26716
CVE-2022-26717
CVE-2022-26719
CVE-2022-27404
CVE-2022-27405
CVE-2022-27406
CVE-2022-27664
CVE-2022-27950
CVE-2022-28390
CVE-2022-28893
CVE-2022-29581
CVE-2022-30293
CVE-2022-32189
CVE-2022-34903
CVE-2022-36946
CVE-2022-37434
CVE-2022-37603
CVE-2022-39399
CVE-2022-41715
CVE-2022-42003
CVE-2022-42004

References

https://access.redhat.com/security/updates/classification/#moderate

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.