Red Hat 9062 Published by

Red Hat Advanced Cluster Management 2.2.11 security updates and bug fixes has been released.



RHSA-2022:0856-01: Moderate: Red Hat Advanced Cluster Management 2.2.11 security updates and bug fixes



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Advanced Cluster Management 2.2.11 security updates and bug fixes
Advisory ID: RHSA-2022:0856-01
Product: Red Hat ACM
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:0856
Issue date: 2022-03-14
CVE Names: CVE-2019-5827 CVE-2019-13750 CVE-2019-13751
CVE-2019-17594 CVE-2019-17595 CVE-2019-18218
CVE-2019-19603 CVE-2019-20838 CVE-2020-0465
CVE-2020-0466 CVE-2020-12762 CVE-2020-13435
CVE-2020-14155 CVE-2020-16135 CVE-2020-24370
CVE-2020-25709 CVE-2020-25710 CVE-2021-0920
CVE-2021-3200 CVE-2021-3426 CVE-2021-3445
CVE-2021-3521 CVE-2021-3564 CVE-2021-3572
CVE-2021-3573 CVE-2021-3580 CVE-2021-3712
CVE-2021-3752 CVE-2021-3800 CVE-2021-3872
CVE-2021-3984 CVE-2021-4019 CVE-2021-4122
CVE-2021-4155 CVE-2021-4192 CVE-2021-4193
CVE-2021-20231 CVE-2021-20232 CVE-2021-22876
CVE-2021-22898 CVE-2021-22925 CVE-2021-23434
CVE-2021-25214 CVE-2021-27645 CVE-2021-28153
CVE-2021-33560 CVE-2021-33574 CVE-2021-35942
CVE-2021-36084 CVE-2021-36085 CVE-2021-36086
CVE-2021-36087 CVE-2021-39241 CVE-2021-40346
CVE-2021-42574 CVE-2022-0155 CVE-2022-0185
CVE-2022-0330 CVE-2022-22942 CVE-2022-24407
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.2.11 General
Availability release images, which provide one or more container updates
and bug fixes.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.2.11 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments.

Clusters and applications are all visible and managed from a single console
— with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which provide security fixes, bug fixes and
container upgrades. See the following Release Notes documentation, which
will be updated shortly for this release, for additional details about this
release:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/release_notes/

Security updates:

* object-path: Type confusion vulnerability can lead to a bypass of
CVE-2020-15256 (CVE-2021-23434)

* follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)

Related bugs:

* RHACM 2.2.11 images (Bugzilla #2029508)

* ClusterImageSet has 4.5 which is not supported in ACM 2.2.10 (Bugzilla
#2030859)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important instructions on how to upgrade your cluster and fully apply this
asynchronous errata update:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/release_notes/index

For details on how to apply this update, refer to:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html-single/install/index#installing

4. Bugs fixed (  https://bugzilla.redhat.com/):

1999810 - CVE-2021-23434 object-path: Type confusion vulnerability can lead to a bypass of CVE-2020-15256
2029508 - RHACM 2.2.11 images
2030859 - ClusterImageSet has 4.5 which is not supported in ACM 2.2.10
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor

5. References:

  https://access.redhat.com/security/cve/CVE-2019-5827
  https://access.redhat.com/security/cve/CVE-2019-13750
  https://access.redhat.com/security/cve/CVE-2019-13751
  https://access.redhat.com/security/cve/CVE-2019-17594
  https://access.redhat.com/security/cve/CVE-2019-17595
  https://access.redhat.com/security/cve/CVE-2019-18218
  https://access.redhat.com/security/cve/CVE-2019-19603
  https://access.redhat.com/security/cve/CVE-2019-20838
  https://access.redhat.com/security/cve/CVE-2020-0465
  https://access.redhat.com/security/cve/CVE-2020-0466
  https://access.redhat.com/security/cve/CVE-2020-12762
  https://access.redhat.com/security/cve/CVE-2020-13435
  https://access.redhat.com/security/cve/CVE-2020-14155
  https://access.redhat.com/security/cve/CVE-2020-16135
  https://access.redhat.com/security/cve/CVE-2020-24370
  https://access.redhat.com/security/cve/CVE-2020-25709
  https://access.redhat.com/security/cve/CVE-2020-25710
  https://access.redhat.com/security/cve/CVE-2021-0920
  https://access.redhat.com/security/cve/CVE-2021-3200
  https://access.redhat.com/security/cve/CVE-2021-3426
  https://access.redhat.com/security/cve/CVE-2021-3445
  https://access.redhat.com/security/cve/CVE-2021-3521
  https://access.redhat.com/security/cve/CVE-2021-3564
  https://access.redhat.com/security/cve/CVE-2021-3572
  https://access.redhat.com/security/cve/CVE-2021-3573
  https://access.redhat.com/security/cve/CVE-2021-3580
  https://access.redhat.com/security/cve/CVE-2021-3712
  https://access.redhat.com/security/cve/CVE-2021-3752
  https://access.redhat.com/security/cve/CVE-2021-3800
  https://access.redhat.com/security/cve/CVE-2021-3872
  https://access.redhat.com/security/cve/CVE-2021-3984
  https://access.redhat.com/security/cve/CVE-2021-4019
  https://access.redhat.com/security/cve/CVE-2021-4122
  https://access.redhat.com/security/cve/CVE-2021-4155
  https://access.redhat.com/security/cve/CVE-2021-4192
  https://access.redhat.com/security/cve/CVE-2021-4193
  https://access.redhat.com/security/cve/CVE-2021-20231
  https://access.redhat.com/security/cve/CVE-2021-20232
  https://access.redhat.com/security/cve/CVE-2021-22876
  https://access.redhat.com/security/cve/CVE-2021-22898
  https://access.redhat.com/security/cve/CVE-2021-22925
  https://access.redhat.com/security/cve/CVE-2021-23434
  https://access.redhat.com/security/cve/CVE-2021-25214
  https://access.redhat.com/security/cve/CVE-2021-27645
  https://access.redhat.com/security/cve/CVE-2021-28153
  https://access.redhat.com/security/cve/CVE-2021-33560
  https://access.redhat.com/security/cve/CVE-2021-33574
  https://access.redhat.com/security/cve/CVE-2021-35942
  https://access.redhat.com/security/cve/CVE-2021-36084
  https://access.redhat.com/security/cve/CVE-2021-36085
  https://access.redhat.com/security/cve/CVE-2021-36086
  https://access.redhat.com/security/cve/CVE-2021-36087
  https://access.redhat.com/security/cve/CVE-2021-39241
  https://access.redhat.com/security/cve/CVE-2021-40346
  https://access.redhat.com/security/cve/CVE-2021-42574
  https://access.redhat.com/security/cve/CVE-2022-0155
  https://access.redhat.com/security/cve/CVE-2022-0185
  https://access.redhat.com/security/cve/CVE-2022-0330
  https://access.redhat.com/security/cve/CVE-2022-22942
  https://access.redhat.com/security/cve/CVE-2022-24407
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.