Home / mailings [RHSA-2023:3905-01] Important: Network observability 1.3.0 for Openshift
Posted on 28 June 2023
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Important: Network observability 1.3.0 for Openshift
Advisory ID: RHSA-2023:3905-01
Product: Network Observability
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3905
Issue date: 2023-06-28
CVE Names: CVE-2022-28805 CVE-2022-36227 CVE-2023-0464
CVE-2023-0465 CVE-2023-0466 CVE-2023-1255
CVE-2023-2650 CVE-2023-24539 CVE-2023-24540
CVE-2023-27535 CVE-2023-29400
=====================================================================
1. Summary:
Network Observability 1.3.0 for OpenShift
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Network Observability 1.3.0 is an OpenShift operator that provides a
monitoring pipeline to collect and enrich network flows that are produced
by the Network observability eBPF agent.
The operator provides dashboards, metrics, and keeps flows accessible in a
queryable log store, Grafana Loki. When a FlowCollector is deployed, new
dashboards are available in the Console.
This update contains bug fixes.
Security Fix(es):
* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)
* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)
* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
5. JIRA issues fixed (https://issues.redhat.com/):
NETOBSERV-1003 - include metrics role and rolebinding in operator bundle
NETOBSERV-1070 - FLP metrics is not populated with TLS scheme
NETOBSERV-166 - Multitenancy support in Network Observability for project admins
NETOBSERV-391 - Metrics & prometheus setup - flow based dashboards and metrics
NETOBSERV-576 - Multi-arch builds - amd64, ppc64le, arm64
NETOBSERV-765 - Plugin's ServiceMonitor doesn't work
NETOBSERV-773 - Copy certificates across namespaces
NETOBSERV-776 - Implement RBAC control in Loki Gateway
NETOBSERV-901 - Console integration (admin perspective)
NETOBSERV-934 - Add SCTP/ICMPv4/ICMPv6 support to ebpf agent
NETOBSERV-971 - portNaming cannot be disabled
NETOBSERV-972 - user authentication fails for non-kubeadmin users despite they're in cluster-admin groups
NETOBSERV-976 - Not able to disable alerts
NETOBSERV-981 - add must-gather support for network-observability
NETOBSERV-984 - KafkaInterBrokerProtocalVersion throws warning and has ingestion errors
6. References:
https://access.redhat.com/security/cve/CVE-2022-28805
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2023-0464
https://access.redhat.com/security/cve/CVE-2023-0465
https://access.redhat.com/security/cve/CVE-2023-0466
https://access.redhat.com/security/cve/CVE-2023-1255
https://access.redhat.com/security/cve/CVE-2023-2650
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/updates/classification/#important
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.