Red Hat 9062 Published by

A Gatekeeper Operator v0.2 security updates and bug fixes has been released.



RHSA-2022:1081-01: Moderate: Gatekeeper Operator v0.2 security updates and bug fixes



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Gatekeeper Operator v0.2 security updates and bug fixes
Advisory ID: RHSA-2022:1081-01
Product: Red Hat ACM
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:1081
Issue date: 2022-03-28
CVE Names: CVE-2019-5827 CVE-2019-13750 CVE-2019-13751
CVE-2019-17594 CVE-2019-17595 CVE-2019-18218
CVE-2019-19603 CVE-2019-20838 CVE-2020-12762
CVE-2020-13435 CVE-2020-14155 CVE-2020-16135
CVE-2020-24370 CVE-2021-3200 CVE-2021-3445
CVE-2021-3521 CVE-2021-3580 CVE-2021-3712
CVE-2021-3800 CVE-2021-3999 CVE-2021-20231
CVE-2021-20232 CVE-2021-22876 CVE-2021-22898
CVE-2021-22925 CVE-2021-23177 CVE-2021-28153
CVE-2021-31566 CVE-2021-33560 CVE-2021-36084
CVE-2021-36085 CVE-2021-36086 CVE-2021-36087
CVE-2021-42574 CVE-2021-43565 CVE-2022-23218
CVE-2022-23219 CVE-2022-23308 CVE-2022-23806
CVE-2022-24407
=====================================================================

1. Summary:

Gatekeeper Operator v0.2

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Gatekeeper Operator v0.2

Gatekeeper is an open source project that applies the OPA Constraint
Framework to enforce policies on your Kubernetes clusters.

This advisory contains the container images for Gatekeeper that include
security updates, and container upgrades.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Note: Gatekeeper support from the Red Hat support team is limited cases
where it is integrated and used with Red Hat Advanced Cluster Management
for Kubernetes. For support options for any other use, see the Gatekeeper
open source project website at:
  https://open-policy-agent.github.io/gatekeeper/website/docs/howto/.

Security updates:

* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)

* golang: crypto/elliptic IsOnCurve returns true for invalid field elements
(CVE-2022-23806)

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

The requirements to apply the upgraded images are different whether or not
you
used the operator. Complete the following steps, depending on your
installation:

- - Upgrade gatekeeper operator:
The gatekeeper operator that is installed by the gatekeeper operator policy
has
`installPlanApproval` set to `Automatic`. This setting means the operator
will
be upgraded automatically when there is a new version of the operator. No
further action is required for upgrade. If you changed the setting for
`installPlanApproval` to `manual`, then you must view each cluster to
manually
approve the upgrade to the operator.

- - Upgrade gatekeeper without the operator:
The gatekeeper version is specified as part of the Gatekeeper CR in the
gatekeeper operator policy. To upgrade the gatekeeper version:
a) Determine the latest version of gatekeeper by visiting:
  https://catalog.redhat.com/software/containers/rhacm2/gatekeeper-rhel8/5fadb4a18d9a79d2f438a5d9.
b) Click the tag dropdown, and find the latest static tag. An example tag
is
'v3.3.0-1'.
c) Edit the gatekeeper operator policy and update the image tag to use the
latest static tag. For example, you might change this line to image:
'registry.redhat.io/rhacm2/gatekeeper-rhel8:v3.3.0-1'.

Refer to   https://open-policy-agent.github.io/gatekeeper/website/docs/howto/
for additional information.

4. Bugs fixed (  https://bugzilla.redhat.com/):

2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2053429 - CVE-2022-23806 golang: crypto/elliptic IsOnCurve returns true for invalid field elements

5. References:

  https://access.redhat.com/security/cve/CVE-2019-5827
  https://access.redhat.com/security/cve/CVE-2019-13750
  https://access.redhat.com/security/cve/CVE-2019-13751
  https://access.redhat.com/security/cve/CVE-2019-17594
  https://access.redhat.com/security/cve/CVE-2019-17595
  https://access.redhat.com/security/cve/CVE-2019-18218
  https://access.redhat.com/security/cve/CVE-2019-19603
  https://access.redhat.com/security/cve/CVE-2019-20838
  https://access.redhat.com/security/cve/CVE-2020-12762
  https://access.redhat.com/security/cve/CVE-2020-13435
  https://access.redhat.com/security/cve/CVE-2020-14155
  https://access.redhat.com/security/cve/CVE-2020-16135
  https://access.redhat.com/security/cve/CVE-2020-24370
  https://access.redhat.com/security/cve/CVE-2021-3200
  https://access.redhat.com/security/cve/CVE-2021-3445
  https://access.redhat.com/security/cve/CVE-2021-3521
  https://access.redhat.com/security/cve/CVE-2021-3580
  https://access.redhat.com/security/cve/CVE-2021-3712
  https://access.redhat.com/security/cve/CVE-2021-3800
  https://access.redhat.com/security/cve/CVE-2021-3999
  https://access.redhat.com/security/cve/CVE-2021-20231
  https://access.redhat.com/security/cve/CVE-2021-20232
  https://access.redhat.com/security/cve/CVE-2021-22876
  https://access.redhat.com/security/cve/CVE-2021-22898
  https://access.redhat.com/security/cve/CVE-2021-22925
  https://access.redhat.com/security/cve/CVE-2021-23177
  https://access.redhat.com/security/cve/CVE-2021-28153
  https://access.redhat.com/security/cve/CVE-2021-31566
  https://access.redhat.com/security/cve/CVE-2021-33560
  https://access.redhat.com/security/cve/CVE-2021-36084
  https://access.redhat.com/security/cve/CVE-2021-36085
  https://access.redhat.com/security/cve/CVE-2021-36086
  https://access.redhat.com/security/cve/CVE-2021-36087
  https://access.redhat.com/security/cve/CVE-2021-42574
  https://access.redhat.com/security/cve/CVE-2021-43565
  https://access.redhat.com/security/cve/CVE-2022-23218
  https://access.redhat.com/security/cve/CVE-2022-23219
  https://access.redhat.com/security/cve/CVE-2022-23308
  https://access.redhat.com/security/cve/CVE-2022-23806
  https://access.redhat.com/security/cve/CVE-2022-24407
  https://access.redhat.com/security/updates/classification/#moderate
  https://open-policy-agent.github.io/gatekeeper/website/docs/howto/

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.