Lucene search

K
redhatRedHatRHSA-2022:5201
HistoryJun 27, 2022 - 1:35 p.m.

(RHSA-2022:5201) Moderate: Red Hat Advanced Cluster Management 2.4.5 security updates and bug fixes

2022-06-2713:35:25
access.redhat.com
34

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.016 Low

EPSS

Percentile

86.9%

Red Hat Advanced Cluster Management for Kubernetes 2.4.5 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which apply security fixes and fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/

Security fixes:

  • golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)

  • nconf: Prototype pollution in memory store (CVE-2022-21803)

  • golang: crypto/elliptic IsOnCurve returns true for invalid field elements (CVE-2022-23806)

  • nats-server: misusing the “dynamically provisioned sandbox accounts” feature authenticated user can obtain the privileges of the System account (CVE-2022-24450)

  • Moment.js: Path traversal in moment.locale (CVE-2022-24785)

  • dset: Prototype Pollution in dset (CVE-2022-25645)

  • golang: syscall: faccessat checks wrong group (CVE-2022-29526)

  • go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses (CVE-2022-29810)

Bug fixes:

  • Trying to create a new cluster on vSphere and no feedback, stuck in “creating” (BZ# 1937078)

  • Wrong message is displayed when GRC fails to connect to an Ansible Tower (BZ# 2051752)

  • multicluster_operators_hub_subscription issues due to /tmp usage (BZ# 2052702)

  • Create Cluster, Worker Pool 2 zones do not load options that relate to the selected Region field (BZ# 2054954)

  • Changing the multiclusterhub name other than the default name keeps the version in the web console loading (BZ# 2059822)

  • search-redisgraph-0 generating massive amount of logs after 2.4.2 upgrade (BZ# 2065318)

  • Uninstall pod crashed when destroying Azure Gov cluster in ACM (BZ# 2073562)

  • Deprovisioned clusters not filtered out by discovery controller (BZ# 2075594)

  • When deleting a secret for a Helm application, duplicate errors show up in topology (BZ# 2075675)

  • Changing existing placement rules does not change YAML file Regression (BZ# 2075724)

  • Editing Helm Argo Applications does not Prune Old Resources (BZ# 2079906)

  • Failed to delete the requested resource [404] error appears after subscription is deleted and its placement rule is used in the second subscription (BZ# 2080713)

  • Typo in the logs when Deployable is updated in the subscription namespace (BZ# 2080960)

  • After Argo App Sets are created in an Upgraded Environment, the Clusters column does not indicate the clusters (BZ# 2080716)

  • RHACM 2.4.5 images (BZ# 2081438)

  • Performance issue to get secret in claim-controller (BZ# 2081908)

  • Failed to provision openshift 4.10 on bare metal (BZ# 2094109)

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.016 Low

EPSS

Percentile

86.9%

Related for RHSA-2022:5201