Red Hat 9041 Published by

A Submariner 0.14 bug fix and security update has been released.



RHSA-2023:0631-01: Moderate: RHSA: Submariner 0.14 - bug fix and security updates



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: RHSA: Submariner 0.14 - bug fix and security updates
Advisory ID: RHSA-2023:0631-01
Product: Red Hat ACM
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:0631
Issue date: 2023-02-07
CVE Names: CVE-2016-3709 CVE-2020-35525 CVE-2020-35527
CVE-2021-46848 CVE-2022-1304 CVE-2022-2509
CVE-2022-2601 CVE-2022-2880 CVE-2022-3515
CVE-2022-3775 CVE-2022-3787 CVE-2022-3821
CVE-2022-22624 CVE-2022-22628 CVE-2022-22629
CVE-2022-22662 CVE-2022-26700 CVE-2022-26709
CVE-2022-26710 CVE-2022-26716 CVE-2022-26717
CVE-2022-26719 CVE-2022-27664 CVE-2022-30293
CVE-2022-30698 CVE-2022-30699 CVE-2022-35737
CVE-2022-37434 CVE-2022-40303 CVE-2022-40304
CVE-2022-40674 CVE-2022-41715 CVE-2022-41717
CVE-2022-41974 CVE-2022-42010 CVE-2022-42011
CVE-2022-42012 CVE-2022-42898 CVE-2022-43680
=====================================================================

1. Summary:

Submariner 0.14 packages that fix various bugs and add various enhancements
that are now available for Red Hat Advanced Cluster Management for
Kubernetes version 2.7

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Submariner enables direct networking between pods and services on different
Kubernetes clusters that are either on-premises or in the cloud.

For more information about Submariner, see the Submariner open source
community website at:   https://submariner.io/.

This advisory contains bug fixes and enhancements to the Submariner
container images.

Security fixes:

* CVE-2022-27664 golang: net/http: handle server errors after sending
GOAWAY
* CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward
unparseable query parameters
* CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing
regexps
* CVE-2022-41717 golang: net/http: An attacker can cause excessive memory
growth in a Go server accepting HTTP/2 requests

Bugs addressed:

* subctl diagnose firewall metrics does not work on merged kubeconfig (BZ#
2013711)
* [Submariner] - Fails to increase gateway amount after deployment (BZ#
2097381)
* Submariner gateway node does not get deleted with subctl cloud cleanup
command (BZ# 2108634)
* submariner GW pods are unable to resolve the DNS of the Broker K8s API
URL (BZ# 2119362)
* Submariner gateway node does not get deployed after applying
ManagedClusterAddOn on Openstack (BZ# 2124219)
* unable to run subctl benchmark latency, pods fail with ImagePullBackOff
(BZ# 2130326)
* [IBM Z] - Submariner addon unistallation doesnt work from ACM console
(BZ# 2136442)
* Tags on AWS security group for gateway node break cloud-controller
LoadBalancer (BZ# 2139477)
* RHACM - Submariner: UI support for OpenStack #19297 (ACM-1242)
* Submariner OVN support (ACM-1358)
* Submariner Azure Console support (ACM-1388)
* ManagedClusterSet consumers migrate to v1beta2 (ACM-1614)
* Submariner on disconnected ACM #22000 (ACM-1678)
* Submariner gateway: Error creating AWS security group if already exists
(ACM-2055)
* Submariner gateway security group in AWS not deleted when uninstalling
submariner (ACM-2057)
* The submariner-metrics-proxy pod pulls an image with wrong naming
convention (ACM-2058)
* The submariner-metrics-proxy pod is not part of the Agent readiness check
(ACM-2067)
* Subctl 0.14.0 prints version "vsubctl" (ACM-2132)
* managedclusters "local-cluster" not found and missing Submariner Broker
CRD (ACM-2145)
* Add support of ARO to Submariner deployment (ACM-2150)
* The e2e tests execution fails for "Basic TCP connectivity" tests
(ACM-2204)
* Gateway error shown "diagnose all" tests (ACM-2206)
* Submariner does not support cluster "kube-proxy ipvs mode"(ACM-2211)
* Vsphere cluster shows Pod Security admission controller warnings
(ACM-2256)
* Cannot use submariner with OSP and self signed certs (ACM-2274)
* Subctl diagnose tests spawn nettest image with wrong tag nameing
convention (ACM-2387)
* Subctl 0.14.1 prints version "devel" (ACM-2482)

3. Solution:

For details on how to install Submariner, refer to:

  https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/submariner#deploying-submariner-console

and

  https://submariner.io/getting-started/

4. Bugs fixed (  https://bugzilla.redhat.com/):

2013711 - subctl diagnose firewall metrics does not work on merged kubeconfig
2097381 - [Submariner] - Fails to increase gateway amount after deployment
2108634 - Submariner gateway node does not get deleted with subctl cloud cleanup command
2119362 - submariner GW pods are unable to resolve the DNS of the Broker K8s API URL
2124219 - Submariner gateway node does not get deployed after applying ManagedClusterAddOn on Openstack
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2130326 - unable to run subctl benchmark latency, pods fail with ImagePullBackOff
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2136442 - [IBM Z] - Submariner addon unistallation doesnt work from ACM console
2139477 - Tags on AWS security group for gateway node break cloud-controller LoadBalancer
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (  https://issues.jboss.org/):

ACM-1614 - ManagedClusterSet consumers migrate to v1beta2 (Submariner)
ACM-2055 - Submariner gateway: Error creating AWS security group if already exists
ACM-2057 - [Submariner] - submariner gateway security group in aws not deleted when uninstalling submariner
ACM-2058 - [Submariner] - The submariner-metrics-proxy pod pulls an image with wrong naming convention
ACM-2067 - [Submariner] - The submariner-metrics-proxy pod is not part of the Agent readiness check
ACM-2132 - Subctl 0.14.0 prints version "vsubctl"
ACM-2145 - managedclusters "local-cluster" not found and missing Submariner Broker CRD
ACM-2150 - Add support of ARO to Submariner deployment
ACM-2204 - [Submariner] - e2e tests execution fails for "Basic TCP connectivity" tests
ACM-2206 - [Submariner] - Gateway error shown "diagnose all" tests
ACM-2211 - [Submariner] - Submariner does not support cluster "kube-proxy ipvs mode"
ACM-2256 - [Submariner] - Vsphere cluster shows Pod Security admission controller warnings
ACM-2274 - Cannot use submariner with OSP and self signed certs
ACM-2387 - [Submariner] - subctl diagnose tests spawn nettest image with wrong tag nameing convention
ACM-2482 - Subctl 0.14.1 prints version "devel"

6. References:

  https://access.redhat.com/security/cve/CVE-2016-3709
  https://access.redhat.com/security/cve/CVE-2020-35525
  https://access.redhat.com/security/cve/CVE-2020-35527
  https://access.redhat.com/security/cve/CVE-2021-46848
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-2509
  https://access.redhat.com/security/cve/CVE-2022-2601
  https://access.redhat.com/security/cve/CVE-2022-2880
  https://access.redhat.com/security/cve/CVE-2022-3515
  https://access.redhat.com/security/cve/CVE-2022-3775
  https://access.redhat.com/security/cve/CVE-2022-3787
  https://access.redhat.com/security/cve/CVE-2022-3821
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27664
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-30698
  https://access.redhat.com/security/cve/CVE-2022-30699
  https://access.redhat.com/security/cve/CVE-2022-35737
  https://access.redhat.com/security/cve/CVE-2022-37434
  https://access.redhat.com/security/cve/CVE-2022-40303
  https://access.redhat.com/security/cve/CVE-2022-40304
  https://access.redhat.com/security/cve/CVE-2022-40674
  https://access.redhat.com/security/cve/CVE-2022-41715
  https://access.redhat.com/security/cve/CVE-2022-41717
  https://access.redhat.com/security/cve/CVE-2022-41974
  https://access.redhat.com/security/cve/CVE-2022-42010
  https://access.redhat.com/security/cve/CVE-2022-42011
  https://access.redhat.com/security/cve/CVE-2022-42012
  https://access.redhat.com/security/cve/CVE-2022-42898
  https://access.redhat.com/security/cve/CVE-2022-43680
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.