Headline
Red Hat Security Advisory 2023-2177-01
Red Hat Security Advisory 2023-2177-01 - The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: grafana-pcp security and enhancement update
Advisory ID: RHSA-2023:2177-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2177
Issue date: 2023-05-09
CVE Names: CVE-2022-27664
====================================================================
- Summary:
An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
The Grafana plugin for Performance Co-Pilot includes datasources for
scalable time series from pmseries and Redis, live PCP metrics and bpftrace
scripts from pmdabpftrace, as well as several dashboards.
Security Fix(es):
- golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.2 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2127038 - grafana pcp plugin is wiped from rpmostree /var during install in rhel edge
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
grafana-pcp-5.1.1-1.el9.src.rpm
aarch64:
grafana-pcp-5.1.1-1.el9.aarch64.rpm
grafana-pcp-debuginfo-5.1.1-1.el9.aarch64.rpm
grafana-pcp-debugsource-5.1.1-1.el9.aarch64.rpm
ppc64le:
grafana-pcp-5.1.1-1.el9.ppc64le.rpm
grafana-pcp-debuginfo-5.1.1-1.el9.ppc64le.rpm
grafana-pcp-debugsource-5.1.1-1.el9.ppc64le.rpm
s390x:
grafana-pcp-5.1.1-1.el9.s390x.rpm
grafana-pcp-debuginfo-5.1.1-1.el9.s390x.rpm
grafana-pcp-debugsource-5.1.1-1.el9.s390x.rpm
x86_64:
grafana-pcp-5.1.1-1.el9.x86_64.rpm
grafana-pcp-debuginfo-5.1.1-1.el9.x86_64.rpm
grafana-pcp-debugsource-5.1.1-1.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZFo0mNzjgjWX9erEAQi6Kg//WADx+EpHhZ82vYF8Jb30kgWpypWH9B4t
5c/1i8fZQDjXdTcaXZ0rrMoJD4SXvWONxXZWNTPP99/hwGw+SzSa4wCNTBXY+GA2
BhlvrAktiDQCckq5AsMGR8RxM01VXlNI1oaos0Yoql6Da9V6jnEVO3tuupGEMdUA
KqHyzvE2fmtKGFbxeKVgI6bq+AYrvztsEJozHnvjItaAcZ9SU10uD+YFwHYDJPVL
iais5PpZ7xAd8I59nsiokrizQ0d1esAAU8CJFJgn3hCFiZ+8XfpzkU7VBrkFlC3X
deQZb4uzNKAQ70yK3Zcl+TW02Ps8Wo1ArnVvMZhx1oLPt+W2B4ZSXkM/IS6wgPGY
gT3QmGlElFHXA7cJdZ9LKTxFpWBalJgfPNjtPcmNFx9EOVerE5pUN04YbHfdBP91
0rC3zbyFmtEtuui+yJjt8WkVUs5T6w12hdF7kM37JW+DeXl5zUrpCLV8oi+XiutH
WAG+oGqF4214SxsQkglsUAGaOh0l1pl/vvllgsmSXCi7+IEpj+J9EPjujNfOE3jh
iEzaVW9RyfySAsBDn6qPj5gLyqAD3hhJ8Gd6q1HQsAjlawzL++49y5b0Ia407wDv
O7xpiA+4YRqsZN0628JGlpXOdrK8xrMaKhz19LIlYR5fSPEBxh921gelhBuYxzKs
edtb4EJ/1js=udLv
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-4674-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.30.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...
Red Hat Security Advisory 2023-3205-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.0 images. Issues addressed include a denial of service vulnerability.
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...
An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...
Red Hat Security Advisory 2023-1529-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1275-01 - An update for etcd is now available for Red Hat OpenStack Platform. Issues addressed include a denial of service vulnerability.
Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-1962: A flaw was found in the golang standard library, go/par...
Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.
IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.
OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.