Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3911
Service Telemetry Framework 1.4 security update
9 August 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Service Telemetry Framework 1.4
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-30631 CVE-2022-24407 CVE-2022-23852
CVE-2022-1271 CVE-2022-0778 CVE-2021-37750
CVE-2021-36222 CVE-2021-33938 CVE-2021-33930
CVE-2021-33929 CVE-2021-33928 CVE-2021-30762
CVE-2021-30761 CVE-2021-30666 CVE-2021-27218
CVE-2021-22947 CVE-2021-22946 CVE-2021-20305
CVE-2021-3541 CVE-2021-3537 CVE-2021-3521
CVE-2021-3520 CVE-2021-3518 CVE-2021-3517
CVE-2021-3516 CVE-2021-3326 CVE-2020-29363
CVE-2020-29362 CVE-2020-29361 CVE-2020-27618
CVE-2020-15503 CVE-2020-15358 CVE-2020-14391
CVE-2020-13434 CVE-2020-11793 CVE-2020-10018
CVE-2020-9952 CVE-2020-9925 CVE-2020-9915
CVE-2020-9895 CVE-2020-9894 CVE-2020-9893
CVE-2020-9862 CVE-2020-9850 CVE-2020-9843
CVE-2020-9807 CVE-2020-9806 CVE-2020-9805
CVE-2020-9803 CVE-2020-9802 CVE-2020-8927
CVE-2020-3902 CVE-2020-3901 CVE-2020-3900
CVE-2020-3899 CVE-2020-3897 CVE-2020-3895
CVE-2020-3894 CVE-2020-3885 CVE-2020-3868
CVE-2020-3867 CVE-2020-3865 CVE-2020-3864
CVE-2020-3862 CVE-2020-1730 CVE-2019-25013
CVE-2019-20807 CVE-2019-20454 CVE-2019-14889
CVE-2019-13627 CVE-2019-13050 CVE-2019-9169
CVE-2019-8846 CVE-2019-8844 CVE-2019-8835
CVE-2019-8823 CVE-2019-8820 CVE-2019-8819
CVE-2019-8816 CVE-2019-8815 CVE-2019-8814
CVE-2019-8813 CVE-2019-8812 CVE-2019-8811
CVE-2019-8808 CVE-2019-8783 CVE-2019-8782
CVE-2019-8771 CVE-2019-8769 CVE-2019-8766
CVE-2019-8764 CVE-2019-8743 CVE-2019-8720
CVE-2019-8710 CVE-2019-8625 CVE-2018-1000858
CVE-2018-25032 CVE-2017-14502 CVE-2016-10228
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:5924
Comment: CVSS (Max): 9.8 CVE-2022-23852 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Service Telemetry Framework 1.4 security update
Advisory ID: RHSA-2022:5924-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5924
Issue date: 2022-08-08
CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2018-25032
CVE-2018-1000858 CVE-2019-8625 CVE-2019-8710
CVE-2019-8720 CVE-2019-8743 CVE-2019-8764
CVE-2019-8766 CVE-2019-8769 CVE-2019-8771
CVE-2019-8782 CVE-2019-8783 CVE-2019-8808
CVE-2019-8811 CVE-2019-8812 CVE-2019-8813
CVE-2019-8814 CVE-2019-8815 CVE-2019-8816
CVE-2019-8819 CVE-2019-8820 CVE-2019-8823
CVE-2019-8835 CVE-2019-8844 CVE-2019-8846
CVE-2019-9169 CVE-2019-13050 CVE-2019-13627
CVE-2019-14889 CVE-2019-20454 CVE-2019-20807
CVE-2019-25013 CVE-2020-1730 CVE-2020-3862
CVE-2020-3864 CVE-2020-3865 CVE-2020-3867
CVE-2020-3868 CVE-2020-3885 CVE-2020-3894
CVE-2020-3895 CVE-2020-3897 CVE-2020-3899
CVE-2020-3900 CVE-2020-3901 CVE-2020-3902
CVE-2020-8927 CVE-2020-9802 CVE-2020-9803
CVE-2020-9805 CVE-2020-9806 CVE-2020-9807
CVE-2020-9843 CVE-2020-9850 CVE-2020-9862
CVE-2020-9893 CVE-2020-9894 CVE-2020-9895
CVE-2020-9915 CVE-2020-9925 CVE-2020-9952
CVE-2020-10018 CVE-2020-11793 CVE-2020-13434
CVE-2020-14391 CVE-2020-15358 CVE-2020-15503
CVE-2020-27618 CVE-2020-29361 CVE-2020-29362
CVE-2020-29363 CVE-2021-3326 CVE-2021-3516
CVE-2021-3517 CVE-2021-3518 CVE-2021-3520
CVE-2021-3521 CVE-2021-3537 CVE-2021-3541
CVE-2021-20305 CVE-2021-22946 CVE-2021-22947
CVE-2021-27218 CVE-2021-30666 CVE-2021-30761
CVE-2021-30762 CVE-2021-33928 CVE-2021-33929
CVE-2021-33930 CVE-2021-33938 CVE-2021-36222
CVE-2021-37750 CVE-2022-0778 CVE-2022-1271
CVE-2022-23852 CVE-2022-24407 CVE-2022-30631
=====================================================================
1. Summary:
An update is now available for Service Telemetry Framework 1.4 for RHEL 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Service Telemetry Framework (STF) provides automated collection of
measurements and data from remote clients, such as Red Hat OpenStack
Platform or third-party nodes. STF then transmits the information to a
centralized, receiving Red Hat OpenShift Container Platform (OCP)
deployment for storage, retrieval, and monitoring.
Security Fix(es):
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
The Service Telemetry Framework container image provided by this update can
be downloaded from the Red Hat Container Registry at
registry.access.redhat.com. Installation instructions for your platform are
available at Red Hat Container Catalog (see References).
Dockerfiles and scripts should be amended either to refer to this new image
specifically, or to the latest image generally.
4. Bugs fixed (https://bugzilla.redhat.com/):
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
5. References:
https://access.redhat.com/security/cve/CVE-2016-10228
https://access.redhat.com/security/cve/CVE-2017-14502
https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2018-1000858
https://access.redhat.com/security/cve/CVE-2019-8625
https://access.redhat.com/security/cve/CVE-2019-8710
https://access.redhat.com/security/cve/CVE-2019-8720
https://access.redhat.com/security/cve/CVE-2019-8743
https://access.redhat.com/security/cve/CVE-2019-8764
https://access.redhat.com/security/cve/CVE-2019-8766
https://access.redhat.com/security/cve/CVE-2019-8769
https://access.redhat.com/security/cve/CVE-2019-8771
https://access.redhat.com/security/cve/CVE-2019-8782
https://access.redhat.com/security/cve/CVE-2019-8783
https://access.redhat.com/security/cve/CVE-2019-8808
https://access.redhat.com/security/cve/CVE-2019-8811
https://access.redhat.com/security/cve/CVE-2019-8812
https://access.redhat.com/security/cve/CVE-2019-8813
https://access.redhat.com/security/cve/CVE-2019-8814
https://access.redhat.com/security/cve/CVE-2019-8815
https://access.redhat.com/security/cve/CVE-2019-8816
https://access.redhat.com/security/cve/CVE-2019-8819
https://access.redhat.com/security/cve/CVE-2019-8820
https://access.redhat.com/security/cve/CVE-2019-8823
https://access.redhat.com/security/cve/CVE-2019-8835
https://access.redhat.com/security/cve/CVE-2019-8844
https://access.redhat.com/security/cve/CVE-2019-8846
https://access.redhat.com/security/cve/CVE-2019-9169
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2019-20807
https://access.redhat.com/security/cve/CVE-2019-25013
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-3862
https://access.redhat.com/security/cve/CVE-2020-3864
https://access.redhat.com/security/cve/CVE-2020-3865
https://access.redhat.com/security/cve/CVE-2020-3867
https://access.redhat.com/security/cve/CVE-2020-3868
https://access.redhat.com/security/cve/CVE-2020-3885
https://access.redhat.com/security/cve/CVE-2020-3894
https://access.redhat.com/security/cve/CVE-2020-3895
https://access.redhat.com/security/cve/CVE-2020-3897
https://access.redhat.com/security/cve/CVE-2020-3899
https://access.redhat.com/security/cve/CVE-2020-3900
https://access.redhat.com/security/cve/CVE-2020-3901
https://access.redhat.com/security/cve/CVE-2020-3902
https://access.redhat.com/security/cve/CVE-2020-8927
https://access.redhat.com/security/cve/CVE-2020-9802
https://access.redhat.com/security/cve/CVE-2020-9803
https://access.redhat.com/security/cve/CVE-2020-9805
https://access.redhat.com/security/cve/CVE-2020-9806
https://access.redhat.com/security/cve/CVE-2020-9807
https://access.redhat.com/security/cve/CVE-2020-9843
https://access.redhat.com/security/cve/CVE-2020-9850
https://access.redhat.com/security/cve/CVE-2020-9862
https://access.redhat.com/security/cve/CVE-2020-9893
https://access.redhat.com/security/cve/CVE-2020-9894
https://access.redhat.com/security/cve/CVE-2020-9895
https://access.redhat.com/security/cve/CVE-2020-9915
https://access.redhat.com/security/cve/CVE-2020-9925
https://access.redhat.com/security/cve/CVE-2020-9952
https://access.redhat.com/security/cve/CVE-2020-10018
https://access.redhat.com/security/cve/CVE-2020-11793
https://access.redhat.com/security/cve/CVE-2020-13434
https://access.redhat.com/security/cve/CVE-2020-14391
https://access.redhat.com/security/cve/CVE-2020-15358
https://access.redhat.com/security/cve/CVE-2020-15503
https://access.redhat.com/security/cve/CVE-2020-27618
https://access.redhat.com/security/cve/CVE-2020-29361
https://access.redhat.com/security/cve/CVE-2020-29362
https://access.redhat.com/security/cve/CVE-2020-29363
https://access.redhat.com/security/cve/CVE-2021-3326
https://access.redhat.com/security/cve/CVE-2021-3516
https://access.redhat.com/security/cve/CVE-2021-3517
https://access.redhat.com/security/cve/CVE-2021-3518
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3537
https://access.redhat.com/security/cve/CVE-2021-3541
https://access.redhat.com/security/cve/CVE-2021-20305
https://access.redhat.com/security/cve/CVE-2021-22946
https://access.redhat.com/security/cve/CVE-2021-22947
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-30666
https://access.redhat.com/security/cve/CVE-2021-30761
https://access.redhat.com/security/cve/CVE-2021-30762
https://access.redhat.com/security/cve/CVE-2021-33928
https://access.redhat.com/security/cve/CVE-2021-33929
https://access.redhat.com/security/cve/CVE-2021-33930
https://access.redhat.com/security/cve/CVE-2021-33938
https://access.redhat.com/security/cve/CVE-2021-36222
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/cve/CVE-2022-0778
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-23852
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYvGk7dzjgjWX9erEAQgmphAAjgdXrX28XNcuAkZtGl3I1EQGCCj2RRbM
zM0+lDVnIsmulqhcCrsKnKWtr1U+J8WIIA2MNpCtAc7XsIOA2jCT8HIiSDiBXwqO
CbYHuXDCgURo4DCFNkg+59aKs2BLu8WcEBRz4qaXV6ErIWvETBRA9/8lMxYvSjzp
JZChpIklfkgfwMBexQPpcbRnFncFC4Y9tNTLFqJAvuBiRm+Tbr8M+aZOoFbIG7F0
GeVPk/SUtIXVqG8/usX0a1wZcc4FsV7vFEInvqNSDRPN90CD+eZqGT5DCFW0CZ0H
V/TrsxZz2pqc524YjhpyynJovtfHpdWdoPgEI23hwe5TjW/0dn0/ZC0zX3ejNfmE
P09PjveTSBRlfos8lR7R8LdnckvGgm/ksP77bU/eC5QXZjLdQH+VfimrwLQ6aijW
TmI4h6swmvqIQdAsE4K8Ti8dJ/7DzDIh1k5h0rDHVORog9OW7qNFzteJHMBRENzv
0QPuwNfMMqRUIB6HOmja/iPNulDze1L0Eh/aXboTiOzpUEO2OBqTvPf9MnAtsyhs
fVqye2qGdI5u3Wec0AAmLCScUBpTDi8vpJuPEp6gZcKCZKvyQeQWebjcW14ioPxD
TzWD6jDXLJu/8mZqC+VNpfA1Pj9CyF9KtkYJW1WWR1PWqZWEn/EP5UWch0RplXW3
lp1GRMKQ2Y4=
=ZU04
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYvHQ78kNZI30y1K9AQj/dQ/+LdOLNDCiDMUkLcCHWdMDEbosgMViAD9w
an1fMSSg8wHbUKbsi6nS5Qn+3HwC1Xf0ETGBtR6eQO3ozClyF64E1mFrXNYVBy3W
N3eGH13tm9ssfFJiHSddvVt8dYmd0DjCsHpi8DeTyAqUb91MgfjxHskwpXioibCq
4hoAR4amwtsCK+RuyNFc6mJEeHYcuePV+Mc7k7l8GOuxzg2TNRCSEyipeJx8Pc1h
7VZb8XA984Do0vnd3yA+NcqV8ikCQQh2OBRzrImFbRqkGup3jh6SYaOuECx8Ydhq
aYjqiW2BU1TVvKfOdzHTMpbZNUj2BDvHKWFwXR3w0FNTytZGEAWHSwt2Wco6fraB
kkF3QsF6kaAQDzI6hG4SGfburnZPpR2g00Ze86niGQtfRbch5wGmzVEsQh2ODjCs
jV9bBKwObnmVd4ex6yHG4IiLm4zJz2nGol83NnyizC+mV3mSJsj74jts/FrR+J8J
MtS1pkAifWC/uTngmq9uNWcQzkrV9D2eTint1+X19hGxvmhwHKWXWJ1lxGSvzPoo
DdRbg15Ywyier9FAIySqU8uWYINtOx8h/20KO2BFgl2LuoGF1ZWX6JT4lBwzMr4/
s/8I/jfdufAchPah5jxSr9dKVMYuHx1gZgRIbCTlzLBEQzjC7F1B5uC9Cz2KPq+Z
z9RDH6H1j3s=
=kHrp
-----END PGP SIGNATURE-----