CVE-2022-0552

origin-aggregated-logging/elasticsearch: Incomplete fix for netty-codec-http CVE-2021-21409

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in the original fix for the netty-codec-http CVE-2021-21409, where the OpenShift Logging openshift-logging/elasticsearch6-rhel8 container was incomplete. The vulnerable netty-codec-http maven package was not removed from the image content. This flaw affects origin-aggregated-logging versions 3.11.

Se ha encontrado un fallo en la corrección original de netty-codec-http CVE-2021-21409, donde el contenedor OpenShift Logging openshift-logging/elasticsearch6-rhel8 estaba incompleto. El paquete maven vulnerable netty-codec-http no fue eliminado del contenido de la imagen. Este fallo afecta a origin-aggregated-logging versiones 3.11

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-09 CVE Reserved
2022-03-02 CVE Published
2024-08-02 CVE Updated
2024-11-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/openshift/origin-aggregated-logging/commit/d6b72d6c32e7c06b65324294d10406546734004d	2023-02-12

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-21409	2022-03-02
https://bugzilla.redhat.com/show_bug.cgi?id=2052539	2022-03-02
https://access.redhat.com/security/cve/CVE-2022-0552	2022-03-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Origin-aggregated-logging Search vendor "Redhat" for product "Origin-aggregated-logging"				3.11 Search vendor "Redhat" for product "Origin-aggregated-logging" and version "3.11"		-		Affected