Red Hat Security Advisory 2022-6346-01

Red Hat Security Advisory 2022-6346-01: Posted Sep 7, 2022; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2022-6346-01 - Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. Issues addressed include denial of service and out of bounds read vulnerabilities.; tags | advisory, denial of service, vulnerability; systems | linux, redhat; advisories | CVE-2021-38561, CVE-2021-40528, CVE-2022-1292, CVE-2022-1586, CVE-2022-1705, CVE-2022-1962, CVE-2022-2068, CVE-2022-2097, CVE-2022-2526, CVE-2022-25313, CVE-2022-25314, CVE-2022-28131, CVE-2022-29824, CVE-2022-30629; SHA-256 | 2ba5392bcd1c1bff9cb613e8012f9b1ea5a622aad244b9476377398cc6e342c9; Download | Favorite | View

Red Hat Security Advisory 2022-6346-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: RHSA: Submariner 0.13 - security and enhancement update
Advisory ID:       RHSA-2022:6346-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6346
Issue date:        2022-09-06
CVE Names:         CVE-2021-38561 CVE-2021-40528 CVE-2022-1292 
                   CVE-2022-1586 CVE-2022-1705 CVE-2022-1962 
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-2526 
                   CVE-2022-25313 CVE-2022-25314 CVE-2022-28131 
                   CVE-2022-29824 CVE-2022-30629 CVE-2022-30630 
                   CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 
                   CVE-2022-30635 CVE-2022-32148 CVE-2022-32206 
                   CVE-2022-32208 
=====================================================================

1. Summary:

Submariner 0.13 packages that fix security issues and bugs, as well as adds
various enhancements that are now available for Red Hat Advanced Cluster
Management for Kubernetes version 2.6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Submariner enables direct networking between pods and services on different
Kubernetes clusters that are either on-premises or in the cloud.

For more information about Submariner, see the Submariner open source
community website at: https://submariner.io/.

This advisory contains bug fixes and enhancements to the Submariner
container images.

Security fixes:

* CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language
leads to DoS

* CVE-2022-1705 golang: net/http: improper sanitization of
Transfer-Encoding header

* CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

* CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

* CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

* CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

* CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

* CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

* CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy -
omit X-Forwarded-For not working

* CVE-2022-30629 golang: crypto/tls: session tickets lack random
ticket_age_add

3. Solution:

For details on how to install Submariner, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/add-ons/submariner#submariner-deploy-console

and

https://submariner.io/getting-started/

4. Bugs fixed (https://bugzilla.redhat.com/):

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. References:

https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2526
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYxd1B9zjgjWX9erEAQjg3g//Z6F4XwGtGZPH4jDe5igGa7E/9HTHBewn
dFddZJk/RwVHfq2lKUuFIKYwOi7Bc9xSNoxgminoGK2cIw6adyCxt8QKUBhoDuht
J6xYdCNR/CtEl9IGQuEGe9Rh7YYKWNeIX0t22XCjtmoy2AIuZoeApTeRkWaizx4Y
IXIf+lwvrG8/h5CtuQem0hW40MZiPZq7O0gWBy/+NoFBhQ5xO5ZTMaRe/PGQfD+9
JrgtmY6eb3bNQRBIQfvtZWNOa4S+pzMTGNjMj9/G42IJwDzOtEUktUwcoRXxyA0S
8xUGdwADk+UMvWseMBNmAq/HPEQ3j4clg0aYQdpAVmvwdQkHjY3FeZxY60gx9QB0
u/dptUHlEr/HZhjiz5Cl0TaiK7jpuQbCUn0qMiVaj0B3w59W+DOWNnv3MiShfD8U
iQkEuupzYgLqMwmu1LqHaeaOFPvGoO8MZAGUxYtcwWWDz4fq+J2HQTpnrUXVypnT
Hvm+DK7+dceLGDvlR/GCE8A6lGY8bURzhctuEAe0L/s7t5eEsfjQtciJ3bIBFDob
RCA6SdjxgdGEGVh6JiknyACHmHPQTuPhGGcJnCRn7zG5GGXOTx9Ja0+nPGDwUcXh
IM/TcEXXmj/PfAKMlee8hS4aHhHthm0Izlk6OLPZPMvtQhfdf9cKMdNAPmQf8sj4
Ao8aXSQ99fM=
=j+9x
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Red Hat Security Advisory 2022-6346-01

Red Hat Security Advisory 2022-6346-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2022-6346-01

Share This

Red Hat Security Advisory 2022-6346-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems