[RHSA-2023:3905-01] Important: Network observability 1.3.0 for Openshift

[Security announcements for all Red Hat products and services.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Network observability 1.3.0 for Openshift
Advisory ID:       RHSA-2023:3905-01
Product:           Network Observability
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3905
Issue date:        2023-06-28
CVE Names:         CVE-2022-28805 CVE-2022-36227 CVE-2023-0464 
                   CVE-2023-0465 CVE-2023-0466 CVE-2023-1255 
                   CVE-2023-2650 CVE-2023-24539 CVE-2023-24540 
                   CVE-2023-27535 CVE-2023-29400 
=====================================================================

1. Summary:

Network Observability 1.3.0 for OpenShift

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Network Observability 1.3.0 is an OpenShift operator that provides a
monitoring pipeline to collect and enrich network flows that are produced
by the Network observability eBPF agent.

The operator provides dashboards, metrics, and keeps flows accessible in a
queryable log store, Grafana Loki. When a FlowCollector is deployed, new
dashboards are available in the Console.

This update contains bug fixes.

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)

* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)

* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes

5. JIRA issues fixed (https://issues.redhat.com/):

NETOBSERV-1003 - include metrics role and rolebinding in operator bundle
NETOBSERV-1070 - FLP metrics is not populated with TLS scheme 
NETOBSERV-166 - Multitenancy support in Network Observability for project admins
NETOBSERV-391 - Metrics & prometheus setup - flow based dashboards and metrics
NETOBSERV-576 - Multi-arch builds - amd64, ppc64le, arm64
NETOBSERV-765 - Plugin's ServiceMonitor doesn't work
NETOBSERV-773 - Copy certificates across namespaces
NETOBSERV-776 - Implement RBAC control in Loki Gateway
NETOBSERV-901 - Console integration (admin perspective)
NETOBSERV-934 - Add SCTP/ICMPv4/ICMPv6 support to ebpf agent
NETOBSERV-971 - portNaming cannot be disabled
NETOBSERV-972 - user authentication fails for non-kubeadmin users despite they're in cluster-admin groups
NETOBSERV-976 - Not able to disable alerts
NETOBSERV-981 - add must-gather support for network-observability
NETOBSERV-984 - KafkaInterBrokerProtocalVersion throws warning and has ingestion errors 

6. References:

https://access.redhat.com/security/cve/CVE-2022-28805
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2023-0464
https://access.redhat.com/security/cve/CVE-2023-0465
https://access.redhat.com/security/cve/CVE-2023-0466
https://access.redhat.com/security/cve/CVE-2023-1255
https://access.redhat.com/security/cve/CVE-2023-2650
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJxWj9zjgjWX9erEAQhGvxAAlqe2wRYPbDiTD3U94mCKBvCm6LseRogK
h+/FLgFUIVmt4wdDRA6O1S+wEqzeHbK1HVgHbU40u4hFU/0M1PEJsiDOyC4hAioO
YDry9NxjaCdd4gRtwq8xuBwyeWvRN6sZna1ei/kUcy+1pvJc+YNVMoW3KyBVa2Kp
dMdCoVvOt0/yggqFix4bRlzldS1HqBPT3PCSqWJO5OsLa1HyPDmsPYLTzJBXBgiZ
of9tgcZ0iwM6/2P6hmKjrKX3hVFNAN47mbmF6u5XfxPywLCEcg5p5eWl1pfJoAYO
GwLn0EgW7SKd6Woaq3BIY8MN0+8L9vOba8zWV2ZS1Jkio1RBiBpeoINbFJObXr5N
tkKxkJGlnoSypLARdUl5HZwd6MxbVnB1+JQMnjJKCn+VWjxrqCzENMYDrjEzcaLD
HyD3HNOriA8ZCvtXOIqVIzKfqAeO++FUn7OUU9U1aBo9zc/AdpeGzBAiW09E9o1d
cpPdxfEFYl0uEqw3ZdlXYb58dCU9UsVdS6wxhJSIUtdWiqdLXmXzI/1ZdfSXIOwr
9ud3epfl6clFx8Ibt9VXLD4GUU58v+Q46pDtE6Flcf+8AXN5Mn6tanOOQs1JsuVM
oxS+DfzbBZeJnLyEpW6YbMhbGqV8QXm6TF8c+IGAEpGjQwGTblX3BmOf/ijj7Hxt
KmF4LPB8n6E=
=8qT8
-----END PGP SIGNATURE-----