rhsa-2021_4582
Vulnerability from csaf_redhat
Published
2021-11-10 11:52
Modified
2024-09-18 04:20
Summary
Red Hat Security Advisory: Release of components for Service Telemetry Framework 1.3.3 - Container Images
Notes
Topic
Release of components for the Service Telemetry Framework
Details
Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform (OCP) deployment for storage, retrieval, and monitoring.
Security fixes:
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug fixes:
* STF 1.3.3 now supports OpenShift Container Platform 4.8 as an installation platform. (BZ#2013268)
* With this update, the servicetelemetrys.infra.watch CRD has a validation that limits the clouds[].name to 10 characters and alphanumeric to avoid issues with extra characters in the cloud name and names being too long. (BZ#2011603)
* Previously, when you installed STF without having Elastic Cloud on Kubernetes (ECK) Operator installed, the following error message was returned: "Failed to find exact match for elasticsearch.k8s.elastic.co/v1beta1.Elasticsearch". The error was as a result of Service Telemetry Operator trying to look up information from a non-existent API interface.
With this update, the Service Telemetry Operator verifies that the API exists before it attempts to make requests to the API interface that is provided by ECK. (BZ#1959166)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Release of components for the Service Telemetry Framework",
"title": "Topic"
},
{
"category": "general",
"text": "Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform (OCP) deployment for storage, retrieval, and monitoring.\n\nSecurity fixes:\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug fixes:\n\n* STF 1.3.3 now supports OpenShift Container Platform 4.8 as an installation platform. (BZ#2013268)\n\n* With this update, the servicetelemetrys.infra.watch CRD has a validation that limits the clouds[].name to 10 characters and alphanumeric to avoid issues with extra characters in the cloud name and names being too long. (BZ#2011603)\n\n* Previously, when you installed STF without having Elastic Cloud on Kubernetes (ECK) Operator installed, the following error message was returned: \"Failed to find exact match for elasticsearch.k8s.elastic.co/v1beta1.Elasticsearch\". The error was as a result of Service Telemetry Operator trying to look up information from a non-existent API interface.\n\nWith this update, the Service Telemetry Operator verifies that the API exists before it attempts to make requests to the API interface that is provided by ECK. (BZ#1959166)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:4582",
"url": "https://access.redhat.com/errata/RHSA-2021:4582"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1959166",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1959166"
},
{
"category": "external",
"summary": "1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "2011603",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011603"
},
{
"category": "external",
"summary": "2013268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013268"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhsa-2021_4582.json"
}
],
"title": "Red Hat Security Advisory: Release of components for Service Telemetry Framework 1.3.3 - Container Images",
"tracking": {
"current_release_date": "2024-09-18T04:20:46+00:00",
"generator": {
"date": "2024-09-18T04:20:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2021:4582",
"initial_release_date": "2021-11-10T11:52:54+00:00",
"revision_history": [
{
"date": "2021-11-10T11:52:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-11-10T11:52:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-18T04:20:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Service Telemetry Framework 1.3 for RHEL 8",
"product": {
"name": "Service Telemetry Framework 1.3 for RHEL 8",
"product_id": "8Base-STF-1.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:service_telemetry_framework:1.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64",
"product": {
"name": "stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64",
"product_id": "stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64",
"product_identification_helper": {
"purl": "pkg:oci/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947?arch=amd64\u0026repository_url=registry.redhat.io/stf/service-telemetry-operator-bundle\u0026tag=1.3.1635451892-1"
}
}
},
{
"category": "product_version",
"name": "stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64",
"product": {
"name": "stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64",
"product_id": "stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a?arch=amd64\u0026repository_url=registry.redhat.io/stf/service-telemetry-rhel8-operator\u0026tag=1.3.7-1"
}
}
},
{
"category": "product_version",
"name": "stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64",
"product": {
"name": "stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64",
"product_id": "stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe?arch=amd64\u0026repository_url=registry.redhat.io/stf/sg-core-rhel8\u0026tag=4.0.3-8"
}
}
},
{
"category": "product_version",
"name": "stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64",
"product": {
"name": "stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64",
"product_id": "stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64",
"product_identification_helper": {
"purl": "pkg:oci/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605?arch=amd64\u0026repository_url=registry.redhat.io/stf/smart-gateway-operator-bundle\u0026tag=3.0.1635451893-1"
}
}
},
{
"category": "product_version",
"name": "stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64",
"product": {
"name": "stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64",
"product_id": "stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc?arch=amd64\u0026repository_url=registry.redhat.io/stf/smart-gateway-rhel8-operator\u0026tag=3.0.4-1"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64 as a component of Service Telemetry Framework 1.3 for RHEL 8",
"product_id": "8Base-STF-1.3:stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64"
},
"product_reference": "stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64",
"relates_to_product_reference": "8Base-STF-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64 as a component of Service Telemetry Framework 1.3 for RHEL 8",
"product_id": "8Base-STF-1.3:stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64"
},
"product_reference": "stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64",
"relates_to_product_reference": "8Base-STF-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64 as a component of Service Telemetry Framework 1.3 for RHEL 8",
"product_id": "8Base-STF-1.3:stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64"
},
"product_reference": "stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64",
"relates_to_product_reference": "8Base-STF-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64 as a component of Service Telemetry Framework 1.3 for RHEL 8",
"product_id": "8Base-STF-1.3:stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64"
},
"product_reference": "stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64",
"relates_to_product_reference": "8Base-STF-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64 as a component of Service Telemetry Framework 1.3 for RHEL 8",
"product_id": "8Base-STF-1.3:stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64"
},
"product_reference": "stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64",
"relates_to_product_reference": "8Base-STF-1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-34558",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-07-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1983596"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate\u0027s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0\u20131.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "* This vulnerability potentially affects any component written in Go that uses crypto/tls from the standard library. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n - OpenShift Container Platform\n - OpenShift distributed tracing (formerly OpenShift Jaeger)\n - OpenShift Migration Toolkit for Containers\n - Red Hat Advanced Cluster Management for Kubernetes\n - Red Hat OpenShift on AWS\n - Red Hat OpenShift Virtualization\n\n* Because OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s containers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-STF-1.3:stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64",
"8Base-STF-1.3:stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64",
"8Base-STF-1.3:stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64",
"8Base-STF-1.3:stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64",
"8Base-STF-1.3:stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34558"
},
{
"category": "external",
"summary": "RHBZ#1983596",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.15.minor",
"url": "https://golang.org/doc/devel/release#go1.15.minor"
},
{
"category": "external",
"summary": "https://golang.org/doc/devel/release#go1.16.minor",
"url": "https://golang.org/doc/devel/release#go1.16.minor"
}
],
"release_date": "2021-07-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog. See References.\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
"product_ids": [
"8Base-STF-1.3:stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64",
"8Base-STF-1.3:stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64",
"8Base-STF-1.3:stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64",
"8Base-STF-1.3:stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64",
"8Base-STF-1.3:stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:4582"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-STF-1.3:stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64",
"8Base-STF-1.3:stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64",
"8Base-STF-1.3:stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64",
"8Base-STF-1.3:stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64",
"8Base-STF-1.3:stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-STF-1.3:stf/service-telemetry-operator-bundle@sha256:3aa38a05aa77bdac184c57f3152b56a9d43447dc086fb8d1388bf50f451d0947_amd64",
"8Base-STF-1.3:stf/service-telemetry-rhel8-operator@sha256:26aada4cf2ee8427a482d23a26ac735a4141e885e04381e3eea0f417ddb7002a_amd64",
"8Base-STF-1.3:stf/sg-core-rhel8@sha256:4ab99a587b957ec36ef14738abff0608e8bf14d18c771c6a405fdf003065b1fe_amd64",
"8Base-STF-1.3:stf/smart-gateway-operator-bundle@sha256:f2105fb56eab3cf34f3012932ac74674743037797c7f0022a46b550d975e2605_amd64",
"8Base-STF-1.3:stf/smart-gateway-rhel8-operator@sha256:2f3d0901349c9e57c6084d4e5fa1407cd882d6c56163c69b54bbf69bdc919bdc_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic"
}
]
}
Loading...