{"id":21235,"date":"2022-03-04T19:28:08","date_gmt":"2022-03-04T16:28:08","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166204\/RHSA-2022-0595-02.txt"},"modified":"2022-03-06T11:40:39","modified_gmt":"2022-03-06T08:10:39","slug":"red-hat-security-advisory-2022-0595-02","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/red-hat-security-advisory-2022-0595-02\/","title":{"rendered":"Red Hat Security Advisory 2022-0595-02"},"content":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—–
\nHash: SHA256<\/p>\n

=====================================================================
\nRed Hat Security Advisory<\/p>\n

Synopsis: Important: Red Hat Advanced Cluster Management 2.3.6 security updates and bug fixes
\nAdvisory ID: RHSA-2022:0595-02
\nProduct: Red Hat ACM
\nAdvisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:0595
\nIssue date: 2022-02-22
\nUpdated on: 2022-03-04
\nCVE Names: CVE-2020-25704 CVE-2020-36322 CVE-2021-3521
\nCVE-2021-3712 CVE-2021-3872 CVE-2021-3918
\nCVE-2021-3984 CVE-2021-4019 CVE-2021-4034
\nCVE-2021-4122 CVE-2021-4155 CVE-2021-4192
\nCVE-2021-4193 CVE-2021-20321 CVE-2021-23566
\nCVE-2021-42574 CVE-2021-42739 CVE-2021-43565
\nCVE-2022-0155 CVE-2022-0185 CVE-2022-20612
\nCVE-2022-20617
\n=====================================================================<\/p>\n

1. Summary:<\/p>\n

Red Hat Advanced Cluster Management for Kubernetes 2.3.6 General
\nAvailability
\nrelease images, which provide security updates and bug fixes.<\/p>\n

Red Hat Product Security has rated this update as having a security impact
\nof
\nModerate. A Common Vulnerability Scoring System (CVSS) base score, which
\ngives
\na detailed severity rating, is available for each vulnerability from the
\nCVE
\nlink(s) in the References section.<\/p>\n

2. Description:<\/p>\n

Red Hat Advanced Cluster Management for Kubernetes 2.3.6 images<\/p>\n

Red Hat Advanced Cluster Management for Kubernetes provides the
\ncapabilities to address common challenges that administrators and site
\nreliability engineers face as they work across a range of public and
\nprivate cloud environments. Clusters and applications are all visible and
\nmanaged from a single console\u2014with security policy built in.<\/p>\n

Red Hat Product Security has rated this update as having a security impact
\nof Important. A Common Vulnerability Scoring System (CVSS) base score,
\nwhich gives a detailed severity rating, is available for each vulnerability
\nfrom the CVE links in the References section.<\/p>\n

This advisory contains the container images for Red Hat Advanced Cluster
\nManagement for Kubernetes, which provide some security fixes and bug fixes.
\nSee the following Release Notes documentation, which will be updated
\nshortly for this release, for additional details about this release:<\/p>\n

https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_advanced_cluster_management_for_kubernetes\/2.3\/html\/release_notes\/<\/p>\n

Security updates:<\/p>\n

* Nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)<\/p>\n

* Nanoid: Information disclosure via valueOf() function (CVE-2021-23566)<\/p>\n

* Golang.org\/x\/crypto: empty plaintext packet causes panic (CVE-2021-43565)<\/p>\n

* Follow-redirects: Exposure of Private Personal Information to an
\nUnauthorized Actor (CVE-2022-0155)<\/p>\n

Bug fixes:<\/p>\n

* Inform ACM policy is not checking properly the node fields (BZ# 2015588)<\/p>\n

* ImagePullPolicy is “Always” for multicluster-operators-subscription-rhel8
\nimage (BZ# 2021128)<\/p>\n

* Traceback blocks reconciliation of helm repository hosted on AWS S3
\nstorage (BZ# 2021576)<\/p>\n

* RHACM 2.3.6 images (BZ# 2029507)<\/p>\n

* Console UI enabled SNO UI Options not displayed during cluster creating
\n(BZ# 2030002)<\/p>\n

* Grc pod restarts for each new GET request to the Governance Policy Page
\n(BZ# 2037351)<\/p>\n

* Clustersets do not appear in UI (BZ# 2049810)<\/p>\n

3. Solution:<\/p>\n

Before applying this update, make sure all previously released errata
\nrelevant to your system have been applied.<\/p>\n

For details on how to apply this update, refer to:<\/p>\n

https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_advanced_cluster_management_for_kubernetes\/2.3\/html-single\/install\/index#installing<\/p>\n

4. Bugs fixed (https:\/\/bugzilla.redhat.com\/):<\/p>\n

2015588 – Inform ACM policy is not checking properly the node fields
\n2021128 – imagePullPolicy is “Always” for multicluster-operators-subscription-rhel8 image
\n2021576 – traceback blocks reconciliation of helm repository hosted on AWS S3 storage
\n2024702 – CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
\n2029507 – RHACM 2.3.6 images
\n2030002 – Console UI enabled SNO UI Options not displayed during cluster creating
\n2030787 – CVE-2021-43565 golang.org\/x\/crypto: empty plaintext packet causes panic
\n2037351 – grc pod restarts for each new GET request to the Governance Policy Page
\n2044556 – CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
\n2049810 – Clustersets do not appear in UI
\n2050853 – CVE-2021-23566 nanoid: Information disclosure via valueOf() function<\/p>\n

5. References:<\/p>\n

https:\/\/access.redhat.com\/security\/cve\/CVE-2020-25704
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-36322
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-3521
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-3712
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-3872
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-3918
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-3984
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-4019
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-4034
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-4122
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-4155
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-4192
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-4193
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-20321
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-23566
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-42574
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-42739
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-43565
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0155
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0185
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-20612
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-20617
\nhttps:\/\/access.redhat.com\/security\/updates\/classification\/#important<\/p>\n

6. Contact:<\/p>\n

The Red Hat security contact is <secalert@redhat.com>. More contact
\ndetails at https:\/\/access.redhat.com\/security\/team\/contact\/<\/p>\n

Copyright 2022 Red Hat, Inc.
\n—–BEGIN PGP SIGNATURE—–
\nVersion: GnuPG v1<\/p>\n

iQIVAwUBYiGSAdzjgjWX9erEAQhcyg\/+JWkTD4CzyVTHwvwK5RW\/tiWQKmgEuQEK
\n3HRKdXDnhn428EkQLd\/pRfAvs1h\/7b7OxYxbcCYfijImM+mCcIFRxaFx7fc1TCac
\nc+0PetTXspkKbz7k+YqfNFXn3SFIG194thQreJE\/FDTwFr9YO+H915MsdUxAqxIT
\nU6sb4NrgeMBHysUsk9FcmTMETXYs2MximcfsZc8UNHXy1wNNpH8d+dPYKfY3Ew4I
\nlutUmP\/L1Zqz4cTpGeAAkwOR9doNVQTTNjRq3AT\/anrYWfSDlAYWKVQwajhG13Tu
\nzyTN+X2wbWEQ\/vlLKRgPpEQrlgSkmq5tP61jPGWcUkBRClUFmgJA6hDhOLhAhtqn
\nplupv0ajajWRwhFDFdpmVh4UzO2Wxmsf5B1Kuw36D+szPmbldm7IdE1UB1SWA1UG
\nWDc0Yz6Vxwk2E5PtIBFCpVdYU8\/wvOWSLM9E\/hH5JJ0LyPEmLGu2Bo2GoftDXdeK
\nZYf8XYYuINDOrTz3o3DQHHRUAKkZQE\/U+tTlK8CfqlXN3gCc+HpWhvUt3MH9EZX8
\nVVSru79\/CXUQcEk3IH3\/NgJmKXzK1WgR6cY3dLRgzbvKb22sTdygBftUmgkEKMx9
\nZJZl9D9\/tMnWqAUEm5iLu\/FXK8C42YtlTZFISb772hpAM3bZCQngvhewdp3pYjbV
\nqVz34lGi9mo=
\n=ODwI
\n—–END PGP SIGNATURE—–<\/p>\n


\nRHSA-announce mailing list
\nRHSA-announce@redhat.com
\nhttps:\/\/listman.redhat.com\/mailman\/listinfo\/rhsa-announce<\/p>\n","protected":false},"excerpt":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Advanced Cluster Management 2.3.6 security updates and bug fixes Advisory ID: RHSA-2022:0595-02 Product: Red Hat ACM Advisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:0595 Issue date: 2022-02-22 Updated on: 2022-03-04 CVE Names: CVE-2020-25704 CVE-2020-36322 CVE-2021-3521 CVE-2021-3712 CVE-2021-3872 CVE-2021-3918 CVE-2021-3984 CVE-2021-4019 CVE-2021-4034 CVE-2021-4122 CVE-2021-4155 CVE-2021-4192 CVE-2021-4193 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21235","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21235"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21235\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}