Red Hat 9038 Published by

A Submariner 0.13 - security and enhancement update has been released.



RHSA-2022:6346-01: Moderate: RHSA: Submariner 0.13 - security and enhancement update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: RHSA: Submariner 0.13 - security and enhancement update
Advisory ID: RHSA-2022:6346-01
Product: Red Hat ACM
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:6346
Issue date: 2022-09-06
CVE Names: CVE-2021-38561 CVE-2021-40528 CVE-2022-1292
CVE-2022-1586 CVE-2022-1705 CVE-2022-1962
CVE-2022-2068 CVE-2022-2097 CVE-2022-2526
CVE-2022-25313 CVE-2022-25314 CVE-2022-28131
CVE-2022-29824 CVE-2022-30629 CVE-2022-30630
CVE-2022-30631 CVE-2022-30632 CVE-2022-30633
CVE-2022-30635 CVE-2022-32148 CVE-2022-32206
CVE-2022-32208
=====================================================================

1. Summary:

Submariner 0.13 packages that fix security issues and bugs, as well as adds
various enhancements that are now available for Red Hat Advanced Cluster
Management for Kubernetes version 2.6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Submariner enables direct networking between pods and services on different
Kubernetes clusters that are either on-premises or in the cloud.

For more information about Submariner, see the Submariner open source
community website at:   https://submariner.io/.

This advisory contains bug fixes and enhancements to the Submariner
container images.

Security fixes:

* CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language
leads to DoS

* CVE-2022-1705 golang: net/http: improper sanitization of
Transfer-Encoding header

* CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

* CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

* CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

* CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

* CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

* CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

* CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy -
omit X-Forwarded-For not working

* CVE-2022-30629 golang: crypto/tls: session tickets lack random
ticket_age_add

3. Solution:

For details on how to install Submariner, refer to:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/add-ons/submariner#submariner-deploy-console

and

  https://submariner.io/getting-started/

4. Bugs fixed (  https://bugzilla.redhat.com/):

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. References:

  https://access.redhat.com/security/cve/CVE-2021-38561
  https://access.redhat.com/security/cve/CVE-2021-40528
  https://access.redhat.com/security/cve/CVE-2022-1292
  https://access.redhat.com/security/cve/CVE-2022-1586
  https://access.redhat.com/security/cve/CVE-2022-1705
  https://access.redhat.com/security/cve/CVE-2022-1962
  https://access.redhat.com/security/cve/CVE-2022-2068
  https://access.redhat.com/security/cve/CVE-2022-2097
  https://access.redhat.com/security/cve/CVE-2022-2526
  https://access.redhat.com/security/cve/CVE-2022-25313
  https://access.redhat.com/security/cve/CVE-2022-25314
  https://access.redhat.com/security/cve/CVE-2022-28131
  https://access.redhat.com/security/cve/CVE-2022-29824
  https://access.redhat.com/security/cve/CVE-2022-30629
  https://access.redhat.com/security/cve/CVE-2022-30630
  https://access.redhat.com/security/cve/CVE-2022-30631
  https://access.redhat.com/security/cve/CVE-2022-30632
  https://access.redhat.com/security/cve/CVE-2022-30633
  https://access.redhat.com/security/cve/CVE-2022-30635
  https://access.redhat.com/security/cve/CVE-2022-32148
  https://access.redhat.com/security/cve/CVE-2022-32206
  https://access.redhat.com/security/cve/CVE-2022-32208
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.