Operating System:

[RedHat]

Published:

09 August 2022

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2022.3909 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.3909
              Service Telemetry Framework 1.3 security update
                               9 August 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Service Telemetry Framework 1.3
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-30631  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2022:5923

Comment: CVSS (Max):  7.5 CVE-2022-30631 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Service Telemetry Framework 1.3 security update
Advisory ID:       RHSA-2022:5923-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5923
Issue date:        2022-08-08
CVE Names:         CVE-2022-30631 
=====================================================================

1. Summary:

An update is now available for Service Telemetry Framework 1.3 for RHEL 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Service Telemetry Framework (STF) provides automated collection of
measurements and data from remote clients, such as Red Hat OpenStack
Platform or third-party nodes. STF then transmits the information to a
centralized, receiving Red Hat OpenShift Container Platform (OCP)
deployment for storage, retrieval, and monitoring.

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

The Service Telemetry Framework container image provided by this update can
be downloaded from the Red Hat Container Registry at
registry.access.redhat.com. Installation instructions for your platform are
available at Red Hat Container Catalog (see References).
Dockerfiles and scripts should be amended either to refer to this new image
specifically, or to the latest image generally.

4. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYvFQgdzjgjWX9erEAQgmiQ/9HL4OHCR3gGoBoBivtBKQLOgUfEpmXnH8
8k9pMJhY+F5ThgG1aQvq6doxSCm8LQ4fbXWjQcjGTZquetT5plKeUCYxUxBL9rLj
L7WnQxzrKdaKXOS7iWHarLgx8XyleTeIXGQTHYvWXpwy898lqXx4ZLGtua5pt2rN
z2ooBQu8NQhGmCuxABTAz6bqHK4yAiStxXGSXRiQiLOGCP3cRCL/fLNU24yWl3Yj
pIJ36PUZpCBEh8lpxlXUiLY4XmSpijquUbA41Bjy/TTAJd3LBmb97xhB8Kk0zlp2
tZ6/8BvkZWzH7B7WX2Bnd9cJxZAHbPRnf7dWBPVC/W7D6KKYghYodlysl3HCNdOK
vIBKiorsgFdnWvcAjk77VWDs4uTAjuZZ0XsDn31Fd04eYJL5XDVFE2zGhnxPRU4n
Q1alN5dBP3vrcpP426liLD7w2dMENrlGegili3x9Vxb4EJ0UfD2f/DYX06Hja68T
IX0LRaYarlAwxV80bGfaqzMHzaOxhIR6GAjvDk9ToU9+Q7tuzWvMoj0nxe7XxS2K
jEN0Cdw1WucJgrZQ3RecpE6YzOsdmlEofWXQ/VRv0XclJGUVPUI9GhivKD8owJ3G
0ak1+V8RIzrXpKzrQ/RaODn1rC0sojX8/dm6EZtVeCHEPA2U8LrBuJB4NXKJVbpv
HtQaEXCgjDY=
=8ma6
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYvHCbMkNZI30y1K9AQgv4RAAigjjodliPaWCEYeRfsLfyxOeGftlMfOB
LS2//oFzi0sb8bqdbFvtJOm03euiZj/2NaUiY3JeH35bbjP9Rk2uDGLXdHrj+63F
W1FD6xpxUzE+ElEAl+5cxsOgGz5s/wMkvpA5qtOQVn2QXU443r193KQXE8g1TXjr
ANNoaetiorQiW+KfSg3PWxjXxNUspfFnOhKqWXtVDnMYEBqnt8WshcLX8YXNRLD1
dT4Hx8JIgXsOzHzyhwo6oEkRcLw/ADA4ynL097ivR/6OXKdnoiRvIJ5jTOzOI1jQ
MdXyBQX/+iDi1ULtDpHlodw9MDyaH++TQKfkSeNjZlz0RVOkFIVcmAuzjP4lkBWR
w7w9WdftPMJ8da3cxqdfviOhUlvVZ08hO/sXEquM1f0hYyi1IRDVBgLtk6ggjXb0
PJfiNU/f7pf/ApKXcTDMulsFGM6DepvcmmsQsvtyEGc9IbQH+OhbIKoAIlmyi5/s
F+iL6UW4NgQdK62b5ehwduYJZxP2YxdThZnx923X4tdIcJmmkVdPGTpHLYfU1T/4
suYOiXwStbkrWDksLagxvZ5k/Xe/dnmddVkBXgGMkSvv3t7BvvEQPHBVrkplWl28
micDOF85jo+dCqaHlFbcOPbcDfj9X5W7siUa6IdMhWQgesjXQCARsqEzTGeBSL7h
/V6dfEhJfDs=
=5Ijo
-----END PGP SIGNATURE-----