-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes
Advisory ID:       RHSA-2022:1476-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1476
Issue date:        2022-04-20
CVE Names:         CVE-2021-0920 CVE-2021-3999 CVE-2021-4154 
                   CVE-2021-23177 CVE-2021-23566 CVE-2021-31566 
                   CVE-2021-41190 CVE-2021-43565 CVE-2021-45960 
                   CVE-2021-46143 CVE-2022-0144 CVE-2022-0155 
                   CVE-2022-0235 CVE-2022-0261 CVE-2022-0318 
                   CVE-2022-0330 CVE-2022-0359 CVE-2022-0361 
                   CVE-2022-0392 CVE-2022-0413 CVE-2022-0435 
                   CVE-2022-0492 CVE-2022-0516 CVE-2022-0536 
                   CVE-2022-0778 CVE-2022-0811 CVE-2022-0847 
                   CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 
                   CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 
                   CVE-2022-22942 CVE-2022-23218 CVE-2022-23219 
                   CVE-2022-23308 CVE-2022-23852 CVE-2022-24450 
                   CVE-2022-24778 CVE-2022-25235 CVE-2022-25236 
                   CVE-2022-25315 CVE-2022-27191 
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.4.3 General
Availability release images. This update provides security fixes, bug
fixes, and updates the container images.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE links in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.4.3 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which provide some security fixes and bug fixes.
See the following Release Notes documentation, which will be updated
shortly for this release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/

Security updates:

* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)

* nats-server: misusing the "dynamically provisioned sandbox accounts"
feature authenticated user can obtain the privileges of the System account
(CVE-2022-24450)

* nanoid: Information disclosure via valueOf() function (CVE-2021-23566)

* nodejs-shelljs: improper privilege management (CVE-2022-0144)

* search-ui-container: follow-redirects: Exposure of Private Personal
Information to an Unauthorized Actor (CVE-2022-0155)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)

* openssl: Infinite loop in BN_mod_sqrt() reachable when parsing
certificates (CVE-2022-0778)

* imgcrypt: Unauthorized access to encryted container image on a shared
system due to missing check in CheckAuthorization() code path
(CVE-2022-24778)

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)

Related bugs:

* RHACM 2.4.3 image files (BZ #2057249)

* Observability - dashboard name contains `/` would cause error when
generating dashboard cm (BZ #2032128)

* ACM application placement fails after renaming the application name (BZ
#2033051)

* Disable the obs metric collect should not impact the managed cluster
upgrade (BZ #2039197)

* Observability - cluster list should only contain OCP311 cluster on OCP311
dashboard (BZ #2039820)

* The value of name label changed from clusterclaim name to cluster name
(BZ #2042223)

* VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys (BZ
#2048500)

* clusterSelector matchLabels spec are cleared when changing app
name/namespace during creating an app in UI (BZ #2053211)

* Application cluster status is not updated in UI after restoring (BZ
#2053279)

* OpenStack cluster creation is using deprecated floating IP config for
4.7+ (BZ #2056610)

* The value of Vendor reported by cluster metrics was Other even if the
vendor label in managedcluster was Openshift (BZ #2059039)

* Subscriptions stop reconciling after channel secrets are recreated (BZ
#2059954)

* Placementrule is not reconciling on a new fresh environment (BZ #2074156)

* The cluster claimed from clusterpool cannot auto imported (BZ #2074543)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on how to upgrade your cluster and fully apply this
asynchronous
errata update:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2032128 - Observability - dashboard name contains `/` would cause error when generating dashboard cm
2033051 - ACM application placement fails after renaming the application name
2039197 - disable the obs metric collect should not impact the managed cluster upgrade
2039820 - Observability - cluster list should only contain OCP311 cluster on OCP311 dashboard
2042223 - the value of name label changed from clusterclaim name to cluster name
2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2048500 - VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys
2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function
2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature  authenticated user can obtain the privileges of the System account
2053211 - clusterSelector matchLabels spec are cleared when changing app name/namespace during creating an app in UI
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2053279 - Application cluster status is not updated in UI after restoring
2056610 - OpenStack cluster creation is using deprecated floating IP config for 4.7+
2057249 - RHACM 2.4.3 images
2059039 - The value of Vendor reported by cluster metrics was Other even if the vendor label in managedcluster was Openshift
2059954 - Subscriptions stop reconciling after channel secrets are recreated
2062202 - CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
2074156 - Placementrule is not reconciling on a new fresh environment
2074543 - The cluster claimed from clusterpool can not auto imported

5. References:

https://access.redhat.com/security/cve/CVE-2021-0920
https://access.redhat.com/security/cve/CVE-2021-3999
https://access.redhat.com/security/cve/CVE-2021-4154
https://access.redhat.com/security/cve/CVE-2021-23177
https://access.redhat.com/security/cve/CVE-2021-23566
https://access.redhat.com/security/cve/CVE-2021-31566
https://access.redhat.com/security/cve/CVE-2021-41190
https://access.redhat.com/security/cve/CVE-2021-43565
https://access.redhat.com/security/cve/CVE-2021-45960
https://access.redhat.com/security/cve/CVE-2021-46143
https://access.redhat.com/security/cve/CVE-2022-0144
https://access.redhat.com/security/cve/CVE-2022-0155
https://access.redhat.com/security/cve/CVE-2022-0235
https://access.redhat.com/security/cve/CVE-2022-0261
https://access.redhat.com/security/cve/CVE-2022-0318
https://access.redhat.com/security/cve/CVE-2022-0330
https://access.redhat.com/security/cve/CVE-2022-0359
https://access.redhat.com/security/cve/CVE-2022-0361
https://access.redhat.com/security/cve/CVE-2022-0392
https://access.redhat.com/security/cve/CVE-2022-0413
https://access.redhat.com/security/cve/CVE-2022-0435
https://access.redhat.com/security/cve/CVE-2022-0492
https://access.redhat.com/security/cve/CVE-2022-0516
https://access.redhat.com/security/cve/CVE-2022-0536
https://access.redhat.com/security/cve/CVE-2022-0778
https://access.redhat.com/security/cve/CVE-2022-0811
https://access.redhat.com/security/cve/CVE-2022-0847
https://access.redhat.com/security/cve/CVE-2022-22822
https://access.redhat.com/security/cve/CVE-2022-22823
https://access.redhat.com/security/cve/CVE-2022-22824
https://access.redhat.com/security/cve/CVE-2022-22825
https://access.redhat.com/security/cve/CVE-2022-22826
https://access.redhat.com/security/cve/CVE-2022-22827
https://access.redhat.com/security/cve/CVE-2022-22942
https://access.redhat.com/security/cve/CVE-2022-23218
https://access.redhat.com/security/cve/CVE-2022-23219
https://access.redhat.com/security/cve/CVE-2022-23308
https://access.redhat.com/security/cve/CVE-2022-23852
https://access.redhat.com/security/cve/CVE-2022-24450
https://access.redhat.com/security/cve/CVE-2022-24778
https://access.redhat.com/security/cve/CVE-2022-25235
https://access.redhat.com/security/cve/CVE-2022-25236
https://access.redhat.com/security/cve/CVE-2022-25315
https://access.redhat.com/security/cve/CVE-2022-27191
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/index
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYmE9FdzjgjWX9erEAQjchRAAh7gHccq0BDUNVf4OuS5vfYp17qJ1aYua
hWV32ovogr6JFHO65u22u1oRe9sm7HvtmbD9sZIsd8raGyfqzQG+yA9hvpg9V194
6GOdQ7K5rHIiczf9q0NgKh1MPGpA0Bfo3rhlHYWbDxnSYWPHdZluxLe4102+vZr8
t0c7QwAreN7LFhHAuUDkDLqmEmFu31PJ+n2+lohsBPOy9bgXKWHWaFECWwESvn8t
nXTAiHWj1UbgOORAqUqsW4mNkTs5ko8zt/oS/5MYkuCX54pXwBDEigwjG7PT1tkh
mJStSifiJLpWyOXs6WWSU8uFo69xfsls03WoKvIjW/pEQaDfS4bGtDyRD+qeuXw+
+hvf5oPSoWkiC1leDhZ6r3/7XyChz4VtlS4kGeKZYGvzsnySt/TVQlx9IMedFinD
uWNnWA599KDctpZ2zU0GnQYi1fyHOW65O/in47NaN153DPNzA/wfDSZkz/c2OAgz
c2b5ful0Lfdgp1eFmC+0Czf5hcZoc9Y3RnGYCF9anFiyR3UpgVj5/BqP8taC10Pr
pCHexTF4WF9KT+T9trPrSOcJQGTg1kvpmwnvPq/SRA+oLFZ/39QOMghBi9ywxfuz
XebVaMSsRx3VJBGXZsSfGl1mKkO2sbCZuK6z3yf1+3iqZC68CHqT2cNdwVJSIGze
0gRrV9sKqVs=
=A/V4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce