-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.3.10 security updates and bug fixes
Advisory ID:       RHSA-2022:1715-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1715
Issue date:        2022-05-04
CVE Names:         CVE-2018-25032 CVE-2021-4028 CVE-2021-4083 
                   CVE-2021-4115 CVE-2022-0155 CVE-2022-0235 
                   CVE-2022-0536 CVE-2022-0613 CVE-2022-0711 
                   CVE-2022-1154 CVE-2022-1271 CVE-2022-21803 
                   CVE-2022-24723 CVE-2022-24785 CVE-2022-25636 
====================================================================
1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.3.10 General
Availability release images, which provide security updates and bug fixes.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.3.10 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/

Security updates:

* Follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)

* Node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* Follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)

* Urijs: Authorization Bypass Through User-Controlled Key (CVE-2022-0613)

* Urijs: Leading white space bypasses protocol validation (CVE-2022-24723)

* Nconf: Prototype pollution in memory store (CVE-2022-21803)

* Moment.js: Path traversal in moment.locale (CVE-2022-24785)

Bug fixes:

* RHACM 2.3.10 images

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on how to upgrade your cluster and fully apply this
asynchronous
errata update:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2055496 - CVE-2022-0613 urijs: Authorization Bypass Through User-Controlled Key
2062370 - CVE-2022-24723 urijs: Leading white space bypasses protocol validation
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale
2072229 - RHACM 2.3.10 images
2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2021-4028
https://access.redhat.com/security/cve/CVE-2021-4083
https://access.redhat.com/security/cve/CVE-2021-4115
https://access.redhat.com/security/cve/CVE-2022-0155
https://access.redhat.com/security/cve/CVE-2022-0235
https://access.redhat.com/security/cve/CVE-2022-0536
https://access.redhat.com/security/cve/CVE-2022-0613
https://access.redhat.com/security/cve/CVE-2022-0711
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-21803
https://access.redhat.com/security/cve/CVE-2022-24723
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-25636
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYnOkrtzjgjWX9erEAQjZTA/+Ns/M8W6aUjV/V/tQ2yKTnwYjiy/Qlbcj
NxM9g5fMDGLUOLsUzzHYUzlOA4dWZ2nB6t4IVbMaTCd6UFuLcGUzmpSNsUTHyBbN
gAfQlbUytcXFUkRJKFPqYjCPMgkspzjr/fBTH4OL4Lwc2+5PopaxZsobLxlzFniT
f/z7iaxnAFgvtLTQIqeun3q2gUBDVAmfvRyC4G3YcGGZRvHTYxIHdL2VAXkCYBMj
n7gkR76rvvgvNjnJQA/XUkhq0AMHmdY5Pq+Q8V2nG/kq280wwwhZx/51uPCA0EXQ
MSjubAZYOD6vs7qCXggaRhLo2/CWPiZxMHYHGi/FXD7l/qdgRexPw041YtFXBDlG
lWZo6XgKbvzCyGF6ZB/CqzqC/urgrQpFixZgmMO9C48W/R5froPgbEQ3rkvm3gTl
ylXIIrmxymX0R6luMdCnz3hwTOzH2mlZum31bRiyyKeHxeFDN1Z5ocmV8PnLDZn3
Fy27huF+fF8qQBnfEvTHR7grcdvQ7wACq09v2T+LNxr3CoB80Mhp0GnguPkYRQKg
5eC/cc+36/nm95vwffVcFdQWZCUEEAcBI8RpPx29yLeV8dh6DnyiOCzUbsyr69N6
jiJRYoMN+5ruc2kAWbp0bVjuJIVpu4N2hQ/0g/mFzactckovTOUf6wQKeG7n6A6w
oGN0CocEa5o=vmh9
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-1715:01 Moderate: Red Hat Advanced Cluster Management

Red Hat Advanced Cluster Management for Kubernetes 2.3.10 General Availability release images, which provide security updates and bug fixes

Summary

Red Hat Advanced Cluster Management for Kubernetes 2.3.10 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.
This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/
Security updates:
* Follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)
* Node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
* Follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)
* Urijs: Authorization Bypass Through User-Controlled Key (CVE-2022-0613)
* Urijs: Leading white space bypasses protocol validation (CVE-2022-24723)
* Nconf: Prototype pollution in memory store (CVE-2022-21803)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
Bug fixes:
* RHACM 2.3.10 images



Summary


Solution

For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2021-4028 https://access.redhat.com/security/cve/CVE-2021-4083 https://access.redhat.com/security/cve/CVE-2021-4115 https://access.redhat.com/security/cve/CVE-2022-0155 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-0536 https://access.redhat.com/security/cve/CVE-2022-0613 https://access.redhat.com/security/cve/CVE-2022-0711 https://access.redhat.com/security/cve/CVE-2022-1154 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-21803 https://access.redhat.com/security/cve/CVE-2022-24723 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-25636 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing

Package List


Severity
Advisory ID: RHSA-2022:1715-01
Product: Red Hat ACM
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1715
Issued Date: : 2022-05-04
CVE Names: CVE-2018-25032 CVE-2021-4028 CVE-2021-4083 CVE-2021-4115 CVE-2022-0155 CVE-2022-0235 CVE-2022-0536 CVE-2022-0613 CVE-2022-0711 CVE-2022-1154 CVE-2022-1271 CVE-2022-21803 CVE-2022-24723 CVE-2022-24785 CVE-2022-25636

Topic

Red Hat Advanced Cluster Management for Kubernetes 2.3.10 GeneralAvailability release images, which provide security updates and bug fixes.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor

2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor

2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak

2055496 - CVE-2022-0613 urijs: Authorization Bypass Through User-Controlled Key

2062370 - CVE-2022-24723 urijs: Leading white space bypasses protocol validation

2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale

2072229 - RHACM 2.3.10 images

2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store


Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved