RHSA-2021:1515: Red Hat Security Advisory: Openshift Logging Bug Fix Release (5.0.3)

Openshift Logging Bug Fix Release (5.0.3) This release includes a security update. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Openshift Logging Bug Fix Release (5.0.3) Security Fix(es):

• jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
• jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
• jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
• jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
• jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
• jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)
• jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-35490)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource (CVE-2020-35491)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-35728)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36179)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36180)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36181)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36182)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-36183)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-36184)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource (CVE-2020-36185)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource (CVE-2020-36186)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource (CVE-2020-36187)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource (CVE-2020-36188)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourc e (CVE-2020-36189)
• jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing (CVE-2021-20190)
• jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
• jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
• golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
• golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
• CVE-2018-14718: jackson-databind: arbitrary code execution in slf4j-ext class
• CVE-2018-14719: jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
• CVE-2018-14720: jackson-databind: exfiltration/XXE in some JDK classes
• CVE-2018-14721: jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
• CVE-2018-19360: jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
• CVE-2018-19361: jackson-databind: improper polymorphic deserialization in openjpa class
• CVE-2018-19362: jackson-databind: improper polymorphic deserialization in jboss-common-core class
• CVE-2019-14379: jackson-databind: default typing mishandling leading to remote code execution
• CVE-2020-15586: golang: data race in certain net/http servers including ReverseProxy can lead to DoS
• CVE-2020-16845: golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
• CVE-2020-24750: jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration
• CVE-2020-35490: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource
• CVE-2020-35491: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource
• CVE-2020-35728: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
• CVE-2020-36179: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
• CVE-2020-36180: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS
• CVE-2020-36181: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
• CVE-2020-36182: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS
• CVE-2020-36183: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool
• CVE-2020-36184: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource
• CVE-2020-36185: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource
• CVE-2020-36186: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource
• CVE-2020-36187: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
• CVE-2020-36188: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
• CVE-2020-36189: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource
• CVE-2021-20190: jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing