SB2022011012 - Multiple vulnerabilities in OpenShift Logging
Published: January 10, 2022 Updated: September 18, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2021-45105)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the StrSubstitutor class. A remote attacker can pass specially crafted input to the application, consume all available system resources and cause denial of service conditions.
Payload example: ${${::-${::-$${::-j}}}}
2) Out-of-bounds read (CVE-ID: CVE-2021-3712)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing ASN.1 strings related to a confusion with NULL termination of strings in array. A remote attacker can pass specially crafted data to the application to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
3) Race condition (CVE-ID: CVE-2021-20321)
The vulnerability allows a local user to perform a denial of service (DoS) attacks.
The vulnerability exists due to a race condition when accessing file object in the Linux kernel OverlayFS subsystem. A local user can rename files in specific way with OverlayFS and perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2021-42574)
The vulnerability allows an attacker to bypass certain security checks.
The vulnerability exists in the Bidirectional Algorithm in the Unicode Specification. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters.
An attacker can leverage this behavior to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers.
Remediation
Install update from vendor's website.
References
- https://access.redhat.com/errata/RHSA-2022:0042"
- https://access.redhat.com/errata/RHSA-2022:0042</a></p><p><a
- https://access.redhat.com/errata/RHSA-2022:0043"
- https://access.redhat.com/errata/RHSA-2022:0043</a></p><p><a
- https://access.redhat.com/errata/RHSA-2022:0044"
- https://access.redhat.com/errata/RHSA-2022:0044</a></p><p>
- https://access.redhat.com/errata/RHSA-2022:0047</p><p><br></p>