-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Network Observability 1.4.0 for OpenShift Advisory ID: RHSA-2023:5379-01 Product: Network Observability Advisory URL: https://access.redhat.com/errata/RHSA-2023:5379 Issue date: 2023-09-28 CVE Names: CVE-2022-25883 CVE-2023-2602 CVE-2023-2603 CVE-2023-26115 CVE-2023-28321 CVE-2023-28322 CVE-2023-28484 CVE-2023-29469 ===================================================================== 1. Summary: Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Network Observability 1.4.0 Security Fix(es): * word-wrap: Regular Expression Denial of Service (CVE-2023-26115) * nodejs-semver: Regular expression denial of service (CVE-2022-25883) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service 2216827 - CVE-2023-26115 word-wrap: ReDoS 5. JIRA issues fixed (https://issues.redhat.com/): NETOBSERV-1009 - Export Netflows without Loki NETOBSERV-1034 - Remove 1.0.x channel NETOBSERV-1107 - Improve ebpf agent memory usage NETOBSERV-1131 - Metrics do not ignore duplicates NETOBSERV-1137 - UI Enhancements 1.4 NETOBSERV-1182 - add cluster name to flp configuration NETOBSERV-1196 - Extend platform coverage for Network Observability NETOBSERV-1224 - Flowcollector does not report status != Ready in OCP Console NETOBSERV-1242 - Console plugin build infos NETOBSERV-1283 - Not able to monitor Multus/SRIOV traffic on Network Observability Operator NETOBSERV-139 - Flow dashboards enhancements (flow-based metrics) NETOBSERV-962 - Add IPFIX exporter NETOBSERV-975 - Flows dropped due to Loki stream limit during large traffic spikes 6. References: https://access.redhat.com/security/cve/CVE-2022-25883 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-26115 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28322 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJlFPJvAAoJENzjgjWX9erE6ocQAIq2UqNWebhHVR6RWz5DNPKV vN3p9UFDDV6218CnhSJ8utdpDfuf/QbiM4SD5oLjgwqkcT55CvHMG3FsDrBSoun7 ihpibVNkK9SD5gyUAtBWYO9jlxuMeDn1FqJqHo4bzVllq1oVQYtZp6FLp+zxrUX0 X7b0NbYsuR2cqec4d01eZvnfEGouvSMS0UnUJzCNZ5837SxND11jbwdYMXeJDZNL vftwDdcVaDXycy4bzK7iuw4ckoZLm30rmuKONbDrwID+tTqQXi2T7cqz3F+OxO6+ N9vLDY6xkOkzVUQtKvC7GYc4lHYZaJycm9KViYhgAF2US9L+vv4sbuyyVM6zpN3t B5+6I0tKX9kJyKpY7hDU9OTtIO2t8mZiTlkhNKv8oBE4AyfMWwbqS/4AGWBea1yN RQlRsMDKnv/qVgT380ckkkD7ksPEnxEy9ZMAvZ0ElQLrtKNPkwXQFhgCu/3QphWJ epieCp3IQiXZaHJeX31E26v3PcwCoeder/FsyRfgNINpLe+WLLSqkbDWvVQHsKHM mfbh/089ps5grHOD8aAv+w25OwbQGQZ1x65nxn4AAfFKtn1+JcRTpuvqZILXAn+f Nst3KqcTO0EDxMO/H7Gi2pTTHvDWzdgvRpkz3RXVyK7IjmqM0tqRXBGvRh45QNfx pKJwnAnKS+8ITelhsQGZ =mX3+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce