Red Hat 9037 Published by

Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes are available.



RHSA-2022:1476-01: Moderate: Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes
Advisory ID: RHSA-2022:1476-01
Product: Red Hat ACM
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:1476
Issue date: 2022-04-20
CVE Names: CVE-2021-0920 CVE-2021-3999 CVE-2021-4154
CVE-2021-23177 CVE-2021-23566 CVE-2021-31566
CVE-2021-41190 CVE-2021-43565 CVE-2021-45960
CVE-2021-46143 CVE-2022-0144 CVE-2022-0155
CVE-2022-0235 CVE-2022-0261 CVE-2022-0318
CVE-2022-0330 CVE-2022-0359 CVE-2022-0361
CVE-2022-0392 CVE-2022-0413 CVE-2022-0435
CVE-2022-0492 CVE-2022-0516 CVE-2022-0536
CVE-2022-0778 CVE-2022-0811 CVE-2022-0847
CVE-2022-22822 CVE-2022-22823 CVE-2022-22824
CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
CVE-2022-22942 CVE-2022-23218 CVE-2022-23219
CVE-2022-23308 CVE-2022-23852 CVE-2022-24450
CVE-2022-24778 CVE-2022-25235 CVE-2022-25236
CVE-2022-25315 CVE-2022-27191
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.4.3 General
Availability release images. This update provides security fixes, bug
fixes, and updates the container images.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE links in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.4.3 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which provide some security fixes and bug fixes.
See the following Release Notes documentation, which will be updated
shortly for this release, for additional details about this release:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/

Security updates:

* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)

* nats-server: misusing the "dynamically provisioned sandbox accounts"
feature authenticated user can obtain the privileges of the System account
(CVE-2022-24450)

* nanoid: Information disclosure via valueOf() function (CVE-2021-23566)

* nodejs-shelljs: improper privilege management (CVE-2022-0144)

* search-ui-container: follow-redirects: Exposure of Private Personal
Information to an Unauthorized Actor (CVE-2022-0155)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)

* openssl: Infinite loop in BN_mod_sqrt() reachable when parsing
certificates (CVE-2022-0778)

* imgcrypt: Unauthorized access to encryted container image on a shared
system due to missing check in CheckAuthorization() code path
(CVE-2022-24778)

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)

Related bugs:

* RHACM 2.4.3 image files (BZ #2057249)

* Observability - dashboard name contains `/` would cause error when
generating dashboard cm (BZ #2032128)

* ACM application placement fails after renaming the application name (BZ
#2033051)

* Disable the obs metric collect should not impact the managed cluster
upgrade (BZ #2039197)

* Observability - cluster list should only contain OCP311 cluster on OCP311
dashboard (BZ #2039820)

* The value of name label changed from clusterclaim name to cluster name
(BZ #2042223)

* VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys (BZ
#2048500)

* clusterSelector matchLabels spec are cleared when changing app
name/namespace during creating an app in UI (BZ #2053211)

* Application cluster status is not updated in UI after restoring (BZ
#2053279)

* OpenStack cluster creation is using deprecated floating IP config for
4.7+ (BZ #2056610)

* The value of Vendor reported by cluster metrics was Other even if the
vendor label in managedcluster was Openshift (BZ #2059039)

* Subscriptions stop reconciling after channel secrets are recreated (BZ
#2059954)

* Placementrule is not reconciling on a new fresh environment (BZ #2074156)

* The cluster claimed from clusterpool cannot auto imported (BZ #2074543)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on how to upgrade your cluster and fully apply this
asynchronous
errata update:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index

For details on how to apply this update, refer to:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing

4. Bugs fixed (  https://bugzilla.redhat.com/):

2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2032128 - Observability - dashboard name contains `/` would cause error when generating dashboard cm
2033051 - ACM application placement fails after renaming the application name
2039197 - disable the obs metric collect should not impact the managed cluster upgrade
2039820 - Observability - cluster list should only contain OCP311 cluster on OCP311 dashboard
2042223 - the value of name label changed from clusterclaim name to cluster name
2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2048500 - VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys
2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function
2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account
2053211 - clusterSelector matchLabels spec are cleared when changing app name/namespace during creating an app in UI
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2053279 - Application cluster status is not updated in UI after restoring
2056610 - OpenStack cluster creation is using deprecated floating IP config for 4.7+
2057249 - RHACM 2.4.3 images
2059039 - The value of Vendor reported by cluster metrics was Other even if the vendor label in managedcluster was Openshift
2059954 - Subscriptions stop reconciling after channel secrets are recreated
2062202 - CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
2074156 - Placementrule is not reconciling on a new fresh environment
2074543 - The cluster claimed from clusterpool can not auto imported

5. References:

  https://access.redhat.com/security/cve/CVE-2021-0920
  https://access.redhat.com/security/cve/CVE-2021-3999
  https://access.redhat.com/security/cve/CVE-2021-4154
  https://access.redhat.com/security/cve/CVE-2021-23177
  https://access.redhat.com/security/cve/CVE-2021-23566
  https://access.redhat.com/security/cve/CVE-2021-31566
  https://access.redhat.com/security/cve/CVE-2021-41190
  https://access.redhat.com/security/cve/CVE-2021-43565
  https://access.redhat.com/security/cve/CVE-2021-45960
  https://access.redhat.com/security/cve/CVE-2021-46143
  https://access.redhat.com/security/cve/CVE-2022-0144
  https://access.redhat.com/security/cve/CVE-2022-0155
  https://access.redhat.com/security/cve/CVE-2022-0235
  https://access.redhat.com/security/cve/CVE-2022-0261
  https://access.redhat.com/security/cve/CVE-2022-0318
  https://access.redhat.com/security/cve/CVE-2022-0330
  https://access.redhat.com/security/cve/CVE-2022-0359
  https://access.redhat.com/security/cve/CVE-2022-0361
  https://access.redhat.com/security/cve/CVE-2022-0392
  https://access.redhat.com/security/cve/CVE-2022-0413
  https://access.redhat.com/security/cve/CVE-2022-0435
  https://access.redhat.com/security/cve/CVE-2022-0492
  https://access.redhat.com/security/cve/CVE-2022-0516
  https://access.redhat.com/security/cve/CVE-2022-0536
  https://access.redhat.com/security/cve/CVE-2022-0778
  https://access.redhat.com/security/cve/CVE-2022-0811
  https://access.redhat.com/security/cve/CVE-2022-0847
  https://access.redhat.com/security/cve/CVE-2022-22822
  https://access.redhat.com/security/cve/CVE-2022-22823
  https://access.redhat.com/security/cve/CVE-2022-22824
  https://access.redhat.com/security/cve/CVE-2022-22825
  https://access.redhat.com/security/cve/CVE-2022-22826
  https://access.redhat.com/security/cve/CVE-2022-22827
  https://access.redhat.com/security/cve/CVE-2022-22942
  https://access.redhat.com/security/cve/CVE-2022-23218
  https://access.redhat.com/security/cve/CVE-2022-23219
  https://access.redhat.com/security/cve/CVE-2022-23308
  https://access.redhat.com/security/cve/CVE-2022-23852
  https://access.redhat.com/security/cve/CVE-2022-24450
  https://access.redhat.com/security/cve/CVE-2022-24778
  https://access.redhat.com/security/cve/CVE-2022-25235
  https://access.redhat.com/security/cve/CVE-2022-25236
  https://access.redhat.com/security/cve/CVE-2022-25315
  https://access.redhat.com/security/cve/CVE-2022-27191
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index
  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.