-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2897
              Red Hat OpenShift Jaeger 1.20.5 security update
                              27 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Jaeger
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-34558 CVE-2021-33910 CVE-2021-33198
                   CVE-2021-33197 CVE-2021-33196 CVE-2021-33195
                   CVE-2021-27218 CVE-2021-20271 CVE-2021-3541
                   CVE-2021-3537 CVE-2021-3520 CVE-2021-3518
                   CVE-2021-3517 CVE-2021-3516 

Reference:         ESB-2021.2735
                   ESB-2021.2711
                   ESB-2021.2657

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:3229

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Jaeger 1.20.5 security update
Advisory ID:       RHSA-2021:3229-01
Product:           Red Hat OpenShift Jaeger
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3229
Issue date:        2021-08-19
CVE Names:         CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 
                   CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 
                   CVE-2021-20271 CVE-2021-27218 CVE-2021-33195 
                   CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 
                   CVE-2021-34558 
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Jaeger 1.20.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Jaeger is Red Hat's distribution of the Jaeger project,
tailored for installation into an on-premise OpenShift Container Platform
installation.

Security Fix(es):

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: archive/zip: Malformed archive may cause panic or memory
exhaustion (CVE-2021-33196)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://docs.openshift.com/container-platform/4.8/jaeger/jaeger_install/rhb
jaeger-updating.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

5. JIRA issues fixed (https://issues.jboss.org/):

TRACING-2083 - Rebuild product images to address CVE-2021-33910 - Jaeger components 1.20
TRACING-2087 - Jaeger agent sidecar injection failed due to missing configmaps in the application namespace

6. References:

https://access.redhat.com/security/cve/CVE-2021-3516
https://access.redhat.com/security/cve/CVE-2021-3517
https://access.redhat.com/security/cve/CVE-2021-3518
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3537
https://access.redhat.com/security/cve/CVE-2021-3541
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33196
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYSe+U9zjgjWX9erEAQjimg/9Fug7VxW34Ep6HrD5PdEIRglBG98d8LnX
H3oeBRggdW+aazEy+HFWOAgsU3P2eCJ4EA+dRDoyv+mcZQ/qj1k+VEsc38kEmRbY
7nilI3qmi4TXZnpsP7x0eERC5FOOXNP3yIRE1c8+4+BNab1kXSFn7JwFZTZKHjAP
5K0YGRcKwIYKIkn0tZHQD52m/OwQCtoc+qaVuG3ommwVOhzfp0Wn8w/6iPqvHoMV
9C6bklRT4XiCWbhi/TQrUondiLb0KizypqwMSyMbEcuJqRKxvCJDdM7cyzgIGdRg
7hKaFwSV+VgD8Z4z+YlUyKA4aScWC9/cAvrew2+pWO1ieMKh3lWTbRQmMd5vlEe5
Ff6WWnrdpt7A+Zgue9sAae4o9orTPVoIvPfHmPBnMX7ehq/wrya7R5R8riqPwH35
nyZxM1Ob0Abi2qHMwkAAbAndTJoUkIfD0p+xJr80yWWFDYx+a/jAKt/BmkIhUWnj
qZVQjCX6QlrPQ+zdOtFtKCZ0sSvxdSv8S24BpAAVPxW50fLqXbffPMropAwfheRe
5VvW/EUJq89HjB1ZNI7C7Rq0AJsH1T3KvikWVXkyWVok5l5CkVG2//2PQlTWK+cW
hvcQVN5Kc1RuHdZvW/uP9aE3nSPlV7d7zNLDCHoIV9fyLUM++11odYqye13APtj3
2/+L9sCWFcs=
=JVDm
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYSgmXONLKJtyKPYoAQjhBQ//VD6vKvwzPU4iONcNoJd2zqRWpkQm8Fkn
XwEAw3DezPI8qi1A3Rge9pq9HnzEuvl3qBjlao3sOeMRf70Jc/bxDP6lZq4r0BXc
JFMPFtuwqIw6ooCc5SS1/G6N8jfswFW1O1Rc89U4FX2j5y00jb4Li8ARrLZqIXZp
scX94srGCifVHbfDoOox30n5d7HU1POTESeg2EfwH+bNweKCL8s5GCO0nCaIWDNd
0O3dRxaKyD07I37u8qkO1qQ4aMuRdJjXOm/Sbous3gDJ0AKcr2jaO9rUYoDSWGi3
vD8Q1RLGvXnwWcKKURD4D66Xl8q2w+w2o4LhOO1M00D0vE1nkxiJpGcJD54lY05X
XMsO6xf03OeO+sVdnyw7km+Z7QYarjMerSOTbnsGkIREuI6V9vk39qanAhRNYqMe
rdiP8CGXdkcqACwFShDoDHVnck6vl8Ol6OprWWvOVePCzWI0Hf8WzU8d3PbHZc+1
eWEGPra8HuIg/d1f8RyarQGGdfKbRqnaYF1BIOaY2xJkgej9oz/GmEDjT0Lkzaxc
/chdEisPM4SWaQYRDwhuijZuXpwR3XmxQ3Jq7XA8VjXMPQ43IKfWLX/dHRq+0ND0
G2hZ0zom+zyYx+ZoKhz1V9Jg5GxAixGMgqZEPfSJ92UANuNr1UEDYm7OCzPLEtQN
Dw0nIl2J824=
=qK1G
-----END PGP SIGNATURE-----