-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: RHACS 3.72 enhancement and security update
Advisory ID:       RHSA-2022:6714-01
Product:           RHACS
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6714
Issue date:        2022-09-26
CVE Names:         CVE-2015-20107 CVE-2022-0391 CVE-2022-1292 
                   CVE-2022-1586 CVE-2022-1785 CVE-2022-1897 
                   CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 
                   CVE-2022-24675 CVE-2022-24921 CVE-2022-28327 
                   CVE-2022-29154 CVE-2022-29526 CVE-2022-30631 
                   CVE-2022-32206 CVE-2022-32208 CVE-2022-34903 
=====================================================================

1. Summary:

Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes new features and bug fixes.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Release of RHACS 3.72 provides these changes:

New features
* Automatic removal of nonactive clusters from RHACS: RHACS provides the
ability to configure your system to automatically remove nonactive clusters
from RHACS so that you can monitor active clusters only.
* Support for unauthenticated email integration: RHACS now supports
unauthenticated SMTP for email integrations. This is insecure and not
recommended.
* Support for Quay robot accounts: RHACS now supports use of robot accounts
in quay.io integrations. You can create robot accounts in Quay that allow
you to share credentials for use in multiple repositories.
* Ability to view Dockerfile lines in images that introduced components
with Common Vulnerabilities and Exposures (CVEs): In the Images view, under
Image Findings, you can view individual lines in the Dockerfile that
introduced the components that have been identified as containing CVEs.
* Network graph improvements: RHACS 3.72 includes some improvements to the
Network Graph user interface.

Known issue
* RHACS shows the wrong severity when two severities exist for a single
vulnerability in a single distribution. This issue occurs because RHACS
scopes severities by namespace rather than component. There is no
workaround. It is anticipated that an upcoming release will include a fix
for this issue. (ROX-12527)

Bug fixes
* Before this update, the steps to configure OpenShift Container Platform
OAuth for more than one URI were missing. The documentation has been
revised to include instructions for configuring OAuth in OpenShift
Container Platform to use more than one URI. For more information, see
Creating additional routes for the OpenShift Container Platform OAuth
server. (ROX-11296)
* Before this update, the autogenerated image integration, such as a Docker
registry integration, for a cluster is not deleted when the cluster is
removed from Central. This issue is fixed. (ROX-9398)
* Before this update, the Image OS policy criteria did not support regular
expressions, or regex. However, the documentation indicated that regular
expressions were supported. This issue is fixed by adding support for
regular expressions for the Image OS policy criteria. (ROX-12301)
* Before this update, the syslog integration did not respect a configured
TCP proxy. This is now fixed.
* Before this update, the scanner-db pod failed to start when a resource
quota was set for the stackrox namespace, because the init-db container in
the pod did not have any resources assigned to it. The init-db container
for ScannerDB now specifies resource requests and limits that match the db
container. (ROX-12291)

Notable technical changes
* Scanning support for Red Hat Enterprise Linux 9: RHEL 9 is now generally
available (GA). RHACS 3.72 introduces support for analyzing images built
with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux
(RHEL) 9 RPMs for vulnerabilities.
* Policy for CVEs with fixable CVSS of 6 or greater disabled by default:
Beginning with this release, the Fixable CVSS >= 6 and Privileged policy is
no longer enabled by default for new RHACS installations. The configuration
of this policy is not changed when upgrading an existing system. A new
policy Privileged Containers with Important and Critical Fixable CVEs,
which gives an alert for containers running in privileged mode that have
important or critical fixable vulnerabilities, has been added.

Security Fix(es)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* golang: regexp: stack exhaustion via a deeply nested expression
(CVE-2022-24921)
* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

To take advantage of the new features, bug fixes, and enhancements in RHACS
3.72 you are advised to upgrade to RHACS 3.72.0.

4. Bugs fixed (https://bugzilla.redhat.com/):

2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

ROX-12799 - Release RHACS 3.72.0

6. References:

https://access.redhat.com/security/cve/CVE-2015-20107
https://access.redhat.com/security/cve/CVE-2022-0391
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-24921
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-29526
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/cve/CVE-2022-34903
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/acs/3.72/release_notes/372-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYzH0ItzjgjWX9erEAQg2Yg//fDLYNktH9vd06FrD5L77TeiYnD/Zx+f5
fk12roODKMOpcV6BmnOyPG0a6POCmhHn1Dn6bOT+7Awx0b9A9cXXDk6jytkpDhh7
O0OxzWZVVvSzNe1TL3WN9vwZqSpAYON8euLBEb16E8pmEv7vXKll3wMQIlctp6Nr
ey6DLL718z8ghXbtkkcGsBQqElM4jESvGm5xByMymfRFktvy9LSgTi+Zc7FY7gXL
AHitJZiSm57D/pwUHvNltLLkxQfVAGuJXaTHYFyeIi6Z2pdDySYAXcr60mVd6eSh
9/7qGwdsQARwmr174s0xMWRcns6UDvwIWifiXl6FUnTZFlia+lC3xIP1o2CXwoFP
Fr7LpF0L9h5BapjSRv1w6qkkJIyJhw5v9VmZQoQ3joZqRQi0I6qLOcp92eik63pM
i11ppoeDNwjpSST40Ema3j9PflzxXB7PKBUfKWwqNc2dnWDkiEhNaXOAZ7MqgdLo
MB3enlKV4deeWOb5OA1Vlv/lAAJM0h5AOgTIBddYs3CDsyoK9fKm1UF/BEhcWMyr
kV3AJ0/zzAK6ev4hQmP8Ug4SbdiHNdM3X1vgH54OVJ3Al3E1nAEyYmELNUITrvXV
jJI5thbVwK78vOX9yWcmpZm879BnHnUPzGbS0lF5FVJOSZ8E7LvOE7lCM/dg094z
0riGwT9O9Ys=
=hArw
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce