- Issued:
- 2023-01-19
- Updated:
- 2023-01-19
RHSA-2023:0264 - Moderate: Red Hat OpenShift Logging Subsystem - security update
Synopsis
Moderate: Red Hat OpenShift (Logging Subsystem) security update
Type/Severity
Security Advisory Moderate
Topic
An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Logging Subsystem 5.6.0 - Red Hat OpenShift
- logging-view-plugin-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601)
- logging-elasticsearch6-container: jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
- logging-loki-container: various flaws (CVE-2022-2879 CVE-2022-2880 CVE-2022-41715)
- logging-loki-container: golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
- golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
- org.elasticsearch-elasticsearch: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
- org.elasticsearch-elasticsearch: jackson-databind: use of deeply nested arrays (CVE-2022-42004)
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Logging Subsystem for Red Hat OpenShift | 5 | x86_64 |
| Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE | 5 | s390x |
| Logging Subsystem for Red Hat OpenShift for IBM Power, little endian | 5 | ppc64le |
| Logging Subsystem for Red Hat OpenShift for ARM 64 | 5 | aarch64 |
Fixes
- This content is not included.BZ - 2064698
- This content is not included.BZ - 2124668
- This content is not included.BZ - 2124669
- This content is not included.BZ - 2132867
- This content is not included.BZ - 2132868
- This content is not included.BZ - 2132872
- This content is not included.BZ - 2134876
- This content is not included.BZ - 2135244
- This content is not included.BZ - 2135247
- This content is not included.LOG-2843
- This content is not included.LOG-2217
- This content is not included.LOG-2620
- This content is not included.LOG-2819
- This content is not included.LOG-2822
- This content is not included.LOG-2919
- This content is not included.LOG-2962
- This content is not included.LOG-2993
- This content is not included.LOG-3072
- This content is not included.LOG-3090
- This content is not included.LOG-3129
- This content is not included.LOG-3157
- This content is not included.LOG-3161
- This content is not included.LOG-3168
- This content is not included.LOG-3169
- This content is not included.LOG-3180
- This content is not included.LOG-3186
- This content is not included.LOG-3194
- This content is not included.LOG-3195
- This content is not included.LOG-3208
- This content is not included.LOG-3224
- This content is not included.LOG-3235
- This content is not included.LOG-3286
- This content is not included.LOG-3292
- This content is not included.LOG-3296
- This content is not included.LOG-3309
- This content is not included.LOG-3324
- This content is not included.LOG-3331
- This content is not included.LOG-3446
CVEs
- CVE-2020-36518
- CVE-2022-2879
- CVE-2022-2880
- CVE-2022-27664
- CVE-2022-32190
- CVE-2022-37601
- CVE-2022-41715
- CVE-2022-42003
- CVE-2022-42004
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.