-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.2.11 security updates and bug fixes
Advisory ID:       RHSA-2022:0856-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0856
Issue date:        2022-03-14
CVE Names:         CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 
                   CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 
                   CVE-2019-19603 CVE-2019-20838 CVE-2020-0465 
                   CVE-2020-0466 CVE-2020-12762 CVE-2020-13435 
                   CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 
                   CVE-2020-25709 CVE-2020-25710 CVE-2021-0920 
                   CVE-2021-3200 CVE-2021-3426 CVE-2021-3445 
                   CVE-2021-3521 CVE-2021-3564 CVE-2021-3572 
                   CVE-2021-3573 CVE-2021-3580 CVE-2021-3712 
                   CVE-2021-3752 CVE-2021-3800 CVE-2021-3872 
                   CVE-2021-3984 CVE-2021-4019 CVE-2021-4122 
                   CVE-2021-4155 CVE-2021-4192 CVE-2021-4193 
                   CVE-2021-20231 CVE-2021-20232 CVE-2021-22876 
                   CVE-2021-22898 CVE-2021-22925 CVE-2021-23434 
                   CVE-2021-25214 CVE-2021-27645 CVE-2021-28153 
                   CVE-2021-33560 CVE-2021-33574 CVE-2021-35942 
                   CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 
                   CVE-2021-36087 CVE-2021-39241 CVE-2021-40346 
                   CVE-2021-42574 CVE-2022-0155 CVE-2022-0185 
                   CVE-2022-0330 CVE-2022-22942 CVE-2022-24407 
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.2.11 General
Availability release images, which provide one or more container updates
and bug fixes.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.2.11 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments.

Clusters and applications are all visible and managed from a single console
— with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which provide security fixes, bug fixes and
container upgrades. See the following Release Notes documentation, which
will be updated shortly for this release, for additional details about this
release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/release_notes/

Security updates:

* object-path: Type confusion vulnerability can lead to a bypass of
CVE-2020-15256 (CVE-2021-23434)

* follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)

Related bugs: 

* RHACM 2.2.11 images (Bugzilla #2029508)

* ClusterImageSet has 4.5 which is not supported in ACM 2.2.10 (Bugzilla
#2030859)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important instructions on how to upgrade your cluster and fully apply this
asynchronous errata update:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/release_notes/index

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

1999810 - CVE-2021-23434 object-path: Type confusion vulnerability can lead to a bypass of CVE-2020-15256
2029508 - RHACM 2.2.11 images
2030859 - ClusterImageSet has 4.5 which is not supported in ACM 2.2.10
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor

5. References:

https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-0465
https://access.redhat.com/security/cve/CVE-2020-0466
https://access.redhat.com/security/cve/CVE-2020-12762
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-16135
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2020-25709
https://access.redhat.com/security/cve/CVE-2020-25710
https://access.redhat.com/security/cve/CVE-2021-0920
https://access.redhat.com/security/cve/CVE-2021-3200
https://access.redhat.com/security/cve/CVE-2021-3426
https://access.redhat.com/security/cve/CVE-2021-3445
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3564
https://access.redhat.com/security/cve/CVE-2021-3572
https://access.redhat.com/security/cve/CVE-2021-3573
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-3752
https://access.redhat.com/security/cve/CVE-2021-3800
https://access.redhat.com/security/cve/CVE-2021-3872
https://access.redhat.com/security/cve/CVE-2021-3984
https://access.redhat.com/security/cve/CVE-2021-4019
https://access.redhat.com/security/cve/CVE-2021-4122
https://access.redhat.com/security/cve/CVE-2021-4155
https://access.redhat.com/security/cve/CVE-2021-4192
https://access.redhat.com/security/cve/CVE-2021-4193
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-22876
https://access.redhat.com/security/cve/CVE-2021-22898
https://access.redhat.com/security/cve/CVE-2021-22925
https://access.redhat.com/security/cve/CVE-2021-23434
https://access.redhat.com/security/cve/CVE-2021-25214
https://access.redhat.com/security/cve/CVE-2021-27645
https://access.redhat.com/security/cve/CVE-2021-28153
https://access.redhat.com/security/cve/CVE-2021-33560
https://access.redhat.com/security/cve/CVE-2021-33574
https://access.redhat.com/security/cve/CVE-2021-35942
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-39241
https://access.redhat.com/security/cve/CVE-2021-40346
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2022-0155
https://access.redhat.com/security/cve/CVE-2022-0185
https://access.redhat.com/security/cve/CVE-2022-0330
https://access.redhat.com/security/cve/CVE-2022-22942
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYi+vA9zjgjWX9erEAQgTqA/+J2DQsJewk+7lcFiIFg2V/pbB8hc0RsP5
KbxZaTfWXw0Awen3M5xN9iwKH8v3zdgwKMiEdPi4STFxQEoyOATJ6f8n1tIrZtEv
yvR4I/fCTeQZYZJDPuCaUl0xkL7yFMqKumSsVeTI/zUWDQB5Ifv30KMX68FV2UUW
1T/A0gMzdsCOGNh89jw1tvehqsxfUsBZbv2oqTJkSGsCeBQohuP58MHUeYXzGy5M
HAJhRfgJYTcQneRiUt3PIlH737YjkXW5vO4sYqmyS30SvEtT7HK12qnw9DuBk7bs
tPDvuNy2DFF7S3HARQAgsPDWJQvMBdu96Vm9XHsVHYs/jSrj2B05wAwvYKp5J2q8
WhghlFQnU2QJvaDslUhnC6gz6CqHhU971qSSRWdyrdOLe+56pTg1g1YgJ2V46sIv
b6+9UIFMg0IgHuX9Ys/MVMqXaNOv3tvglmzIGbGsFKE8afZ8FPykaWx1His8fg1b
LxDe8x1eBHDGL28Q4fPmTRcZ6kusODotZPnc8Bv1Y8z+EdDBATI7OZhx9ePpb1fL
GsXBkFvFEaVwTHKWwA3RwTV3uj2rUP7ZCHJuJSaVuZPxhlhY/Q1bXZhSh5aY1oSk
+YUU9HGz9zRJMVHFiuFYp0zrrOFOGw7PGXUr4/+/pPFJkWOVApYvlsgx7DvkyYmB
Xdiu19jyuh4=
=lH1Z
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce