Headline
RHSA-2023:2728: Red Hat Security Advisory: Red Hat OpenShift Distributed Tracing 2.8.0 security update
Updated Red Hat OpenShift Distributed Tracing 2.8 container images are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-10
Updated:
2023-05-10
RHSA-2023:2728 - Security Advisory
- Overview
- Updated Images
Synopsis
Moderate: Red Hat OpenShift Distributed Tracing 2.8.0 security update
Type/Severity
Security Advisory: Moderate
Topic
Updated Red Hat OpenShift Distributed Tracing 2.8 container images are now
available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Red Hat OpenShift Distributed Tracing 2.8 container images have been updated. CVE-2022-41717 was fixed as part of this release.
Users of Red Hat OpenShift Distributed Tracing 2.8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs, and add these enhancements.
Tempo Operator added as Tech Preview.
You can find images updated by this advisory in Red Hat Container Catalog (see
References).
Security Fix(es):
- golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, see the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
Affected Products
- Red Hat OpenShift distributed tracing 2 x86_64
- Red Hat OpenShift distributed tracing for Power, little endian 2 ppc64le
- Red Hat OpenShift distributed tracing for IBM Z and LinuxONE 2 s390x
Fixes
- BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/containers
ppc64le
rhosdt/jaeger-agent-rhel8@sha256:8a43f264074ee58981c8a80becceb4fca6488a641882b56ac19c11b19a8107e2
rhosdt/jaeger-all-in-one-rhel8@sha256:0b20755ee5537736b1fe1371bd0052a48cafe921c49019bb9b370ec2973fa08d
rhosdt/jaeger-collector-rhel8@sha256:ff04f6b0953c885bac0b58c0373eef52cc667901df03ecf40568c30132d46f31
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:98fe80fbd583a0f52d96045196806fdc4564ec3dd6baf06ab5d2e69bd4e78c3b
rhosdt/jaeger-es-rollover-rhel8@sha256:8936533e85752a84a10dde80dd637bd362af950a5b71b4d89929e704cc22cbd2
rhosdt/jaeger-ingester-rhel8@sha256:496ff69d2598e54e2ca83e6c2ea10d471ad152711423932b28c70dc7265a99e8
rhosdt/jaeger-operator-bundle@sha256:c5984c02730264eebba1988130ac3f1107b7b27b9a4bfd6801d3295554514504
rhosdt/jaeger-query-rhel8@sha256:0fb36c45aeaf6ce09946a3bc90637a1d9a118f3d86c950105a916263de49501e
rhosdt/jaeger-rhel8-operator@sha256:69b565bd59f81777c857981508eaa4a177a8d1a0ffb96507758cde425681e36e
rhosdt/opa-openshift-rhosdt-rhel8@sha256:f982e0dbc460565f37ec773ef49873e431cbc21a180488d50dd1991b6117f8c6
rhosdt/opentelemetry-collector-rhel8@sha256:db9c1a9684e33ddb8f4967f6d2ecd5c2969d1fd358ee9f7de2d991d2e6653936
rhosdt/opentelemetry-operator-bundle@sha256:7909ea7d7da0568077e296b92bb7baa560bd337aa29903d52b3986814856688a
rhosdt/opentelemetry-rhel8-operator@sha256:983a171835f9ab509e96c79f7e2a6b0baaf253aa83abb328a3a0a6af25a34499
rhosdt/tempo-gateway-rhel8@sha256:60245023f0b9f00afeb40c130cef36f2efa63d5c6416eee69d1523cae7addb45
rhosdt/tempo-operator-bundle@sha256:84939add25bc2ac7ac329987c8742e758a33c2e7fe367a400d574787e7adc0f6
rhosdt/tempo-query-rhel8@sha256:982bf7bd95a2fbfef36ec5aa70fdb6812f973dd23ebb525b3c017b03cdc8a15a
rhosdt/tempo-rhel8@sha256:d8ecbfeeba3a8d0f4b32d6e35e3c21685f62aaec5be63c039f2e85964ab03052
rhosdt/tempo-rhel8-operator@sha256:7a9e324e998eec2a60300b21a2bba25bfef6403177163d3925cf9167d9bc8fe8
s390x
rhosdt/jaeger-agent-rhel8@sha256:c328aa56ba47b44064ef4bdb049078845fcd69604ce4a999817804781a5f0149
rhosdt/jaeger-all-in-one-rhel8@sha256:251e1a11abbb91bf0316c27242cc5f965f276dfecb388c19f9dfd93bc894622b
rhosdt/jaeger-collector-rhel8@sha256:b8f0ecc3f3f5e6ef95795b5d6e4c1101ac262798bc7f98d88a4d72c9bb8df2de
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:1ad7cb4a53bba1ce64294865f2ea98bea7e12abc8b2ce3fb929b4ac6c7a9e534
rhosdt/jaeger-es-rollover-rhel8@sha256:0bfe941f7a7af8f9d7aebeb7705837c3aa5858f6b282c511659d82bb71b466b1
rhosdt/jaeger-ingester-rhel8@sha256:1374bd615cd61d87b6d2a0fe2a41d40cfb6ff88cd652bcb1cdeedea7bc222394
rhosdt/jaeger-operator-bundle@sha256:37749952282a8d451c0b9e26b23fe226fc08a1214cb9b2236382b7460d3bfb5e
rhosdt/jaeger-query-rhel8@sha256:104db728c93ca8fd7a3abd8889e6a0d1ec4db34ea6e2d4350dba029651adeb17
rhosdt/jaeger-rhel8-operator@sha256:21ba897b333be9d40a02d4ea2c89af013331b3c06fbb86c5a9759f61039086f9
rhosdt/opa-openshift-rhosdt-rhel8@sha256:0f134b1b26a5f27009777d7279872871d8072b0343c05a376425fddeb5cca359
rhosdt/opentelemetry-collector-rhel8@sha256:b7873e3eb7d40a27c638644474e04ddc364b77ec1ad1399e35da38fce22fc0b6
rhosdt/opentelemetry-operator-bundle@sha256:a8653e4a1642fd364077c9eb6436cf4949d4e8785d9260710aa44de6ef7ff8b0
rhosdt/opentelemetry-rhel8-operator@sha256:8e34697b56eae5a94f96d20195aeb9310c42b8ab608e1afdab2f680d2fc391ad
rhosdt/tempo-gateway-rhel8@sha256:1c8422e6085eb89fa74067651714d19f76c1eed5af90a339268cc699755eb68b
rhosdt/tempo-operator-bundle@sha256:4939ba02f0c4b550ac9bd5a6bb882248606a763ad95de5915ca170cf4cf95759
rhosdt/tempo-query-rhel8@sha256:30d4f50afa01afd9e21a6fb36fff2a4d6ded4d354a06745d92b6d08cd6f995c2
rhosdt/tempo-rhel8@sha256:0dbdf5051a2b1ba9fb0ee210e2713ed9f3d39e9c159395b8e179012b67f9bc6c
rhosdt/tempo-rhel8-operator@sha256:79472b5856d5aec5b5d321f95297ed7e7c4a46c82b2a894b638911da428312b4
x86_64
rhosdt/jaeger-agent-rhel8@sha256:b689645b06be8513d1960c4431ada2f7615d72cdc5df43adac38bd161b266a25
rhosdt/jaeger-all-in-one-rhel8@sha256:e4bb5f4ec8077fd88d504bbdf9dc776011ec4bb459a6f8716c26ab0e62cbf70e
rhosdt/jaeger-collector-rhel8@sha256:1bd71465d819d4698e6f22f22c2b85b582602197aa7ce200ed8359cc5eb5651c
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:2faac03b2c880856c059d1eba1ec41d464115a2ad26fa1fac53de5aebcae91e5
rhosdt/jaeger-es-rollover-rhel8@sha256:75b3492d01d93b5f14dd8b8cae913f4c9a379cde9738b16b653f17065f461004
rhosdt/jaeger-ingester-rhel8@sha256:8713a0e37285d6e5c7133221c07dcf4012d832bd47bf6657829fbfa4add1d049
rhosdt/jaeger-operator-bundle@sha256:195b7fc980c05ae95965012817ab824fcb6c18c7c7873accc4198875c1df096f
rhosdt/jaeger-query-rhel8@sha256:c6cb58f3440abb96c0ad5d3837131836cd8cd0b0e30582bf6fecdd2ec7f23fb5
rhosdt/jaeger-rhel8-operator@sha256:45aa2c351ee0e9cc8bbcb2cdedd6e673f3196464529a44be6ec74cc150eb6751
rhosdt/opa-openshift-rhosdt-rhel8@sha256:ee803ea21b800c4185e097f30834be99daf2071d01782098adffaee9fe2d69dc
rhosdt/opentelemetry-collector-rhel8@sha256:00416535e7d8201734bf0f7d7f3279c064eb1311b8d64b89784622a05bc65244
rhosdt/opentelemetry-operator-bundle@sha256:202ee7fa0a4ec49d6982c62a322dcfb5994984a3e8382cc2ff56806f65ed2070
rhosdt/opentelemetry-rhel8-operator@sha256:2d81f81659c6d9f4aa3ebeacf60f13ccd3365772114ab5df9bc099f7ea2ec033
rhosdt/tempo-gateway-rhel8@sha256:5750eddfc102b827318e8a916ba96d0c07dc0ff57aee73b63f1b8ff430865e6b
rhosdt/tempo-operator-bundle@sha256:ff86c632e7eadeae0c2f50f7b9ef1d5cb2d05ed69ec618494bf164a980a5c54e
rhosdt/tempo-query-rhel8@sha256:fd1ae22f59b180cf0ea59df3e405d98e252305efd98ff0e1fc15bdda19c18c28
rhosdt/tempo-rhel8@sha256:9e2192e6d95248c549045c6bb147d185969abe85f27c27dfa8e1dc5417b1749e
rhosdt/tempo-rhel8-operator@sha256:f4835973248c4cc72ec1fcf6a2bfed9903bd857cfc56df123a6ab6a331a5522f
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-5982-01 - An update for foreman_ygg_worker, puppet-agent, qpid-proton, and yggdrasil is now available for Satellite Client 6 for RHEL 6, Satellite Client 6 for RHEL 7, Satellite Client 6 for RHEL 8, and Satellite Client 6 for RHEL 9. Issues addressed include code execution and denial of service vulnerabilities.
Red Hat Security Advisory 2023-4091-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3914-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.44.
Red Hat Security Advisory 2023-3911-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.63.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1329-01 - Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments. This advisory contains the RPM packages for Red Hat build of MicroShift 4.13.0. Issues addressed include a man-in-the-middle vulnerability.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
An update for toolbox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode a...
An update for skopeo is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30629: A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption. * CVE-2022-41717: A flaw was found in the net/http library of the golang package. Thi...
Ubuntu Security Notice 6038-1 - It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting into a denial of service.
Red Hat Security Advisory 2023-1816-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While ...
Red Hat Security Advisory 2023-1310-01 - An update is now available for Logging Subsystem for Red Hat OpenShift - 5.5.9. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-0932-01 - Update information for Logging Subsystem 5.6.3 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat OpenShift Container Platform release 4.12.3 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric...
Red Hat Security Advisory 2023-0692-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. Users are advised to upgrade to version 2.9.6. Users unable to upgrade should check their logs to detect the error messages and fix your TLS options.