Red Hat 9062 Published by

A Red Hat Advanced Cluster Management 2.6.3 security update has been released.



RHSA-2022:9040-01: Important: Red Hat Advanced Cluster Management 2.6.3 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Advanced Cluster Management 2.6.3 security update
Advisory ID: RHSA-2022:9040-01
Product: Red Hat ACM
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:9040
Issue date: 2022-12-14
CVE Names: CVE-2016-3709 CVE-2020-36516 CVE-2020-36558
CVE-2021-3640 CVE-2021-30002 CVE-2022-0168
CVE-2022-0561 CVE-2022-0562 CVE-2022-0617
CVE-2022-0854 CVE-2022-0865 CVE-2022-0891
CVE-2022-0908 CVE-2022-0909 CVE-2022-0924
CVE-2022-1016 CVE-2022-1048 CVE-2022-1055
CVE-2022-1184 CVE-2022-1304 CVE-2022-1355
CVE-2022-1852 CVE-2022-2078 CVE-2022-2586
CVE-2022-2639 CVE-2022-2938 CVE-2022-3517
CVE-2022-20368 CVE-2022-21499 CVE-2022-22624
CVE-2022-22628 CVE-2022-22629 CVE-2022-22662
CVE-2022-22844 CVE-2022-23960 CVE-2022-24448
CVE-2022-25255 CVE-2022-26373 CVE-2022-26700
CVE-2022-26709 CVE-2022-26710 CVE-2022-26716
CVE-2022-26717 CVE-2022-26719 CVE-2022-27404
CVE-2022-27405 CVE-2022-27406 CVE-2022-27950
CVE-2022-28390 CVE-2022-28893 CVE-2022-29581
CVE-2022-30293 CVE-2022-36946 CVE-2022-37434
CVE-2022-41912 CVE-2022-42898
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.6.3 General
Availability release images, which provide security updates, fix bugs, and
update container images.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.6.3 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/

Bugs addressed:

* clusters belong to global clusterset is not selected by placement when
rescheduling (BZ# 2129679)

* RHACM 2.6.3 images (BZ# 2139085)

Security fixes:

* CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
Security

* CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML
responses containing multiple Assertion elements

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on installing this release:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing

4. Bugs fixed (  https://bugzilla.redhat.com/):

2129679 - clusters belong to global clusterset is not selected by placement when rescheduling
2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
2139085 - RHACM 2.6.3 images
2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements

5. References:

  https://access.redhat.com/security/cve/CVE-2016-3709
  https://access.redhat.com/security/cve/CVE-2020-36516
  https://access.redhat.com/security/cve/CVE-2020-36558
  https://access.redhat.com/security/cve/CVE-2021-3640
  https://access.redhat.com/security/cve/CVE-2021-30002
  https://access.redhat.com/security/cve/CVE-2022-0168
  https://access.redhat.com/security/cve/CVE-2022-0561
  https://access.redhat.com/security/cve/CVE-2022-0562
  https://access.redhat.com/security/cve/CVE-2022-0617
  https://access.redhat.com/security/cve/CVE-2022-0854
  https://access.redhat.com/security/cve/CVE-2022-0865
  https://access.redhat.com/security/cve/CVE-2022-0891
  https://access.redhat.com/security/cve/CVE-2022-0908
  https://access.redhat.com/security/cve/CVE-2022-0909
  https://access.redhat.com/security/cve/CVE-2022-0924
  https://access.redhat.com/security/cve/CVE-2022-1016
  https://access.redhat.com/security/cve/CVE-2022-1048
  https://access.redhat.com/security/cve/CVE-2022-1055
  https://access.redhat.com/security/cve/CVE-2022-1184
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-1355
  https://access.redhat.com/security/cve/CVE-2022-1852
  https://access.redhat.com/security/cve/CVE-2022-2078
  https://access.redhat.com/security/cve/CVE-2022-2586
  https://access.redhat.com/security/cve/CVE-2022-2639
  https://access.redhat.com/security/cve/CVE-2022-2938
  https://access.redhat.com/security/cve/CVE-2022-3517
  https://access.redhat.com/security/cve/CVE-2022-20368
  https://access.redhat.com/security/cve/CVE-2022-21499
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-22844
  https://access.redhat.com/security/cve/CVE-2022-23960
  https://access.redhat.com/security/cve/CVE-2022-24448
  https://access.redhat.com/security/cve/CVE-2022-25255
  https://access.redhat.com/security/cve/CVE-2022-26373
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27404
  https://access.redhat.com/security/cve/CVE-2022-27405
  https://access.redhat.com/security/cve/CVE-2022-27406
  https://access.redhat.com/security/cve/CVE-2022-27950
  https://access.redhat.com/security/cve/CVE-2022-28390
  https://access.redhat.com/security/cve/CVE-2022-28893
  https://access.redhat.com/security/cve/CVE-2022-29581
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-36946
  https://access.redhat.com/security/cve/CVE-2022-37434
  https://access.redhat.com/security/cve/CVE-2022-41912
  https://access.redhat.com/security/cve/CVE-2022-42898
  https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.