Red Hat 9041 Published by

A Red Hat Advanced Cluster Management 2.3.8 security and container updates has been released.



RHSA-2022:1083-01: Moderate: Red Hat Advanced Cluster Management 2.3.8 security and container updates



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Advanced Cluster Management 2.3.8 security and container updates
Advisory ID: RHSA-2022:1083-01
Product: Red Hat ACM
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:1083
Issue date: 2022-03-28
CVE Names: CVE-2021-0920 CVE-2021-3999 CVE-2021-4154
CVE-2021-23177 CVE-2021-23566 CVE-2021-31566
CVE-2021-45960 CVE-2021-46143 CVE-2022-0144
CVE-2022-0155 CVE-2022-0235 CVE-2022-0261
CVE-2022-0318 CVE-2022-0330 CVE-2022-0359
CVE-2022-0361 CVE-2022-0392 CVE-2022-0413
CVE-2022-0435 CVE-2022-0492 CVE-2022-0516
CVE-2022-0536 CVE-2022-0847 CVE-2022-22822
CVE-2022-22823 CVE-2022-22824 CVE-2022-22825
CVE-2022-22826 CVE-2022-22827 CVE-2022-22942
CVE-2022-23218 CVE-2022-23219 CVE-2022-23308
CVE-2022-23852 CVE-2022-25235 CVE-2022-25236
CVE-2022-25315
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.3.8 General
Availability release images, which provide security and container updates.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.3.8 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/

Security updates:

* nanoid: Information disclosure via valueOf() function (CVE-2021-23566)

* nodejs-shelljs: improper privilege management (CVE-2022-0144)

* follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)

Bug fix:

* RHACM 2.3.8 images (Bugzilla #2062316)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on how to upgrade your cluster and fully apply this
asynchronous
errata update:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index

For details on how to apply this update, refer to:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing

4. Bugs fixed (  https://bugzilla.redhat.com/):

2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2062316 - RHACM 2.3.8 images

5. References:

  https://access.redhat.com/security/cve/CVE-2021-0920
  https://access.redhat.com/security/cve/CVE-2021-3999
  https://access.redhat.com/security/cve/CVE-2021-4154
  https://access.redhat.com/security/cve/CVE-2021-23177
  https://access.redhat.com/security/cve/CVE-2021-23566
  https://access.redhat.com/security/cve/CVE-2021-31566
  https://access.redhat.com/security/cve/CVE-2021-45960
  https://access.redhat.com/security/cve/CVE-2021-46143
  https://access.redhat.com/security/cve/CVE-2022-0144
  https://access.redhat.com/security/cve/CVE-2022-0155
  https://access.redhat.com/security/cve/CVE-2022-0235
  https://access.redhat.com/security/cve/CVE-2022-0261
  https://access.redhat.com/security/cve/CVE-2022-0318
  https://access.redhat.com/security/cve/CVE-2022-0330
  https://access.redhat.com/security/cve/CVE-2022-0359
  https://access.redhat.com/security/cve/CVE-2022-0361
  https://access.redhat.com/security/cve/CVE-2022-0392
  https://access.redhat.com/security/cve/CVE-2022-0413
  https://access.redhat.com/security/cve/CVE-2022-0435
  https://access.redhat.com/security/cve/CVE-2022-0492
  https://access.redhat.com/security/cve/CVE-2022-0516
  https://access.redhat.com/security/cve/CVE-2022-0536
  https://access.redhat.com/security/cve/CVE-2022-0847
  https://access.redhat.com/security/cve/CVE-2022-22822
  https://access.redhat.com/security/cve/CVE-2022-22823
  https://access.redhat.com/security/cve/CVE-2022-22824
  https://access.redhat.com/security/cve/CVE-2022-22825
  https://access.redhat.com/security/cve/CVE-2022-22826
  https://access.redhat.com/security/cve/CVE-2022-22827
  https://access.redhat.com/security/cve/CVE-2022-22942
  https://access.redhat.com/security/cve/CVE-2022-23218
  https://access.redhat.com/security/cve/CVE-2022-23219
  https://access.redhat.com/security/cve/CVE-2022-23308
  https://access.redhat.com/security/cve/CVE-2022-23852
  https://access.redhat.com/security/cve/CVE-2022-25235
  https://access.redhat.com/security/cve/CVE-2022-25236
  https://access.redhat.com/security/cve/CVE-2022-25315
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index
  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.