-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Network observability 1.1.0 security update Advisory ID: RHSA-2023:0786-01 Product: NETOBSERV Advisory URL: https://access.redhat.com/errata/RHSA-2023:0786 Issue date: 2023-02-15 CVE Names: CVE-2021-46848 CVE-2022-1271 CVE-2022-1304 CVE-2022-2509 CVE-2022-3515 CVE-2022-3602 CVE-2022-3715 CVE-2022-3786 CVE-2022-3821 CVE-2022-33099 CVE-2022-34903 CVE-2022-35737 CVE-2022-40303 CVE-2022-40304 CVE-2022-42898 CVE-2022-47629 CVE-2023-0813 ==================================================================== 1. Summary: Network observability 1.1.0 release for OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Network observability is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. Security Fix(es): * network-observability-console-plugin-container: setting Loki authToken configuration to DISABLE or HOST mode leads to authentication longer being enforced (CVE-2023-0813) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Apply this errata by upgrading Network observability operator 1.0 to 1.1 4. Bugs fixed (https://bugzilla.redhat.com/): 2169468 - CVE-2023-0813 network-observability-console-plugin-container: setting Loki authToken configuration to DISABLE or HOST mode leads to authentication longer being enforced 5. References: https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-3602 https://access.redhat.com/security/cve/CVE-2022-3715 https://access.redhat.com/security/cve/CVE-2022-3786 https://access.redhat.com/security/cve/CVE-2022-3821 https://access.redhat.com/security/cve/CVE-2022-33099 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/cve/CVE-2023-0813 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY+0kZNzjgjWX9erEAQhFFQ//QpVfZtURnoqqxWDRomJfU/B5FMK0iGEv r9lIOIPlCyXNJndORtBR53RPNjOaeDRAMDCLGKyaPMZbrT117nULpIe0glTgNUkM Lr6ZYeuVRPlUeyZz/siRV6e+IgTGJibZh5EmIOIgTqbZcuR2P1pi5VCgy/UlNbgC QnPUSvUf0CXS7c87pX1m1aisYxlyiNFiacMGf26hHFx1fdt1GlCCvko4Rz1sLiiN yc0AZ4sQgt4XJBaTheiueDUx3lJ+AXeJ9IxKwvHYwXzVAZZ43zhYNi93cfcLfk+0 wnpPOVq0sQ3kxe9a02YL5eH2+HvKAJzrw1WAN0SArskk66HgIb4cta1Y9Wqt4++o hR/9/xJLNt9WrLUJaof0VqlMwlZYocIu747CgbhSYh3f+ITVrP86XgVfacBzhDAm YeOClak18lzrBjJKqUZv5jEqspO46l+GwpbAwl8nNk6weyWHvIiZP2j/MIN4o3i6 CGr/2JyKN2LgbU+ForWdjKVFojj/XLUlOd142qYlXyUuHrJ65a3dl1Hcoi+p10bw VXwJDLD45ZUx8VC7CIqG9aVnOAG4JxN77FlU3yFgNvNHdzKs4R8N71B4tk4DRLF2 IfsFlc95Pn/CyNufH9d8+ev5A59qT1wrdwhoXe/Udu7gJZThiRTb0AAXRw0xPdDF YtiWKaTUBfM=wK1Q -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce