RedHat: RHSA-2022-4880:01 Moderate: ACS 3.70 enhancement and securi...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: ACS 3.70 enhancement and security update
Advisory ID:       RHSA-2022:4880-01
Product:           RHACS
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4880
Issue date:        2022-06-02
CVE Names:         CVE-2018-25032 CVE-2021-3634 CVE-2021-3672 
                   CVE-2021-3737 CVE-2021-4189 CVE-2021-23222 
                   CVE-2021-23820 CVE-2021-25219 CVE-2021-41190 
                   CVE-2022-1154 CVE-2022-1271 
=====================================================================

1. Summary:

Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes bug fixes and feature
improvements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

New features and enhancements

1. Verifying image signatures against Cosign public keys: You can use RHACS
to ensure the integrity of the container images in your clusters by
verifying image signatures against preconfigured keys. You can also create
policies to block unsigned images and images that do not have a verified
signature and enforce the policy by using an admission controller to stop
unauthorized deployment creation.

2. Registry integrations for Amazon Elastic Container Registry (ECR) are
now automatically generated for Amazon Web Services (AWS) clusters. This
feature requires that the nodes' Instance Identity and Access Management
(IAM) Role has been granted access to ECR. You can turn off this feature by
disabling the EC2 instance metadata service in your nodes.

3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a
new default policy that allows you to easily identify deployments that are
not restricted by any ingress network policy and to trigger violation
alerts accordingly. The default policy is named Deployments should have at
least one ingress Network Policy. It is disabled by default. This default
policy uses a new policy criterion called "Alert on missing ingress Network
Policy." To identify pod isolation gaps, you can clone this default policy
or create a new one by using the policy criterion and enabling it on
selected resources.

4. A policy to detect the Spring Cloud Function RCE vulnerability
[CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability
[CVE-2022-22965] has been added. It has a severity level of Critical and is
enabled by default.

5. A new policy criterion has been added to validate the value of
allowPrivilegeEscalation within the Kubernetes security context. You can
use this policy criterion to provide alerts when a deployment is configured
to allow a container process to gain more privileges than its parent
process.

6. Customers using the recommended Operator method to deploy RHACS on
OpenShift Container Platform can now view the credentials for the admin
user in the OpenShift Container Platform console. When viewing the Central
object, the Details tab provides a clickable link to the credentials under
Admin Password Secret Reference. The displayed credentials are the default
generated password or a previously configured and stored custom secret.

7. Previously, RHACS limited the number of allowed inclusion and exclusion
scopes within a scope to ten each. This restriction has been removed.

Notable technical changes

1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability
scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes
has been disabled until scanning improvements are made for improved
accuracy and to support full host-level scanning beyond just Kubernetes
components. Currently, RHCOS uses National Vulnerability Database (NVD)
vulnerability data for reporting vulnerabilities for Kubernetes components
from RHCOS. In the enhanced version, vulnerability reporting will be based
on Red Hat published security data. (ROX-10662)

Deprecated Features:

- - Ability to add comments to alerts and processes
- - Anchore, Tenable, and Docker Trusted registry integrations
- - External authorization plug-in for scoped access control
- - FROM option in the Disallowed Dockerfile line policy field
- - RenamePolicyCategory and DeletePolicyCategory API endpoints
- - --rhacs option for the roxctl helm output command

Removed Features:

- - Ability to delete default policies
- - Security policies without a policyVersion
- - /v1/policies API endpoint response: field response body parameter

Security Fixes:

* json-pointer: type confusion vulnerability can lead to a bypass of
CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820)
* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)

3. Solution:

To take advantage of the new features, bug fixes, and enhancements in RHACS
3.70 you are advised to upgrade to RHACS 3.70.0.

4. Bugs fixed (https://bugzilla.redhat.com/):

2020369 - CVE-2021-23820 json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays
2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion

5. JIRA issues fixed (https://issues.jboss.org/):

ROX-11147 - Release RHACS 3.70.0
ROX-9625 - Central is susceptible to connection reuse issues when running on OpenShift
ROX-9902 - Generic webhook notifier with username/password not working

6. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3672
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-23222
https://access.redhat.com/security/cve/CVE-2021-23820
https://access.redhat.com/security/cve/CVE-2021-25219
https://access.redhat.com/security/cve/CVE-2021-41190
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/acs/3.69/release_notes/370-release-notes.html

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYphyENzjgjWX9erEAQhaMg/8Cdc2cZjgk8oqbk/N+zTUodLQUSbGuwyV
SiKJGvCHo1ppVLMpVP9D2hYEVS6HMOsNskf5yApxF95Id68j7TQUNbhnUx3lyUO9
ZYcfxLjLVrHZq7iNumm6O0R03wqb+9TEYe3xU7p4z6pRX2dPO9M/TbjO/fsvvVSz
B2JG32FVxGZJpqnaSkhWBP7NQ5ih8YrlGsdh6G5ip02MeDS3u/peXD+t/wHxSL24
Y5ao1LPKHJ/0soOKgGK/I/PkcbqSS38/wFmy2ohFwZsf5WWs+fLS2f2kbkP8FSKY
57kJtK2v4X7uRn3npO5B3qwZs1M06+6s/SavOxU0aAMkivmNuFvpLzdJLawPHBP2
y7j3Qxyq3H8rm0h7Rya/oIEP6MhxjCot2z4WrXES2B1J79lg7I1E3YoXQEaLhS1p
eqhQ7QQksbB53AG2Eq+TmJR0oacb1xptotNGqSY2WZtLchxrTnadvTFEVJhhBHxn
hG2zlNnjXoJKQdwJv2G/X7UemzeBqmhd8rHOGp4+WyASse7qS5LIXGZkqR1oRqlW
TgHhg7a0R9N2yhK8N9QZnJKB4+xo2xeZ0tRLh/WYUh+V1icP/l9jH9c4ec9DGtyd
uPamMUtVfrGcTbCluQPRZpNii+TwB8yyzEVcQBVwef5UfHmIe5qtCwE46U0V7eV+
rJ9xYHG86hA=
=r90W
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-4880:01 Moderate: ACS 3.70 enhancement and security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS)

Summary

New features and enhancements
1. Verifying image signatures against Cosign public keys: You can use RHACS to ensure the integrity of the container images in your clusters by verifying image signatures against preconfigured keys. You can also create policies to block unsigned images and images that do not have a verified signature and enforce the policy by using an admission controller to stop unauthorized deployment creation.
2. Registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes' Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes.
3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a new default policy that allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. The default policy is named Deployments should have at least one ingress Network Policy. It is disabled by default. This default policy uses a new policy criterion called "Alert on missing ingress Network Policy." To identify pod isolation gaps, you can clone this default policy or create a new one by using the policy criterion and enabling it on selected resources.
4. A policy to detect the Spring Cloud Function RCE vulnerability [CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability [CVE-2022-22965] has been added. It has a severity level of Critical and is enabled by default.
5. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the Kubernetes security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.
6. Customers using the recommended Operator method to deploy RHACS on OpenShift Container Platform can now view the credentials for the admin user in the OpenShift Container Platform console. When viewing the Central object, the Details tab provides a clickable link to the credentials under Admin Password Secret Reference. The displayed credentials are the default generated password or a previously configured and stored custom secret.
7. Previously, RHACS limited the number of allowed inclusion and exclusion scopes within a scope to ten each. This restriction has been removed.
Notable technical changes
1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes has been disabled until scanning improvements are made for improved accuracy and to support full host-level scanning beyond just Kubernetes components. Currently, RHCOS uses National Vulnerability Database (NVD) vulnerability data for reporting vulnerabilities for Kubernetes components from RHCOS. In the enhanced version, vulnerability reporting will be based on Red Hat published security data. (ROX-10662)
Deprecated Features:
- - Ability to add comments to alerts and processes - - Anchore, Tenable, and Docker Trusted registry integrations - - External authorization plug-in for scoped access control - - FROM option in the Disallowed Dockerfile line policy field - - RenamePolicyCategory and DeletePolicyCategory API endpoints - - --rhacs option for the roxctl helm output command
Removed Features:
- - Ability to delete default policies - - Security policies without a policyVersion - - /v1/policies API endpoint response: field response body parameter
Security Fixes:
* json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820) * opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)

Solution

To take advantage of the new features, bug fixes, and enhancements in RHACS3.70 you are advised to upgrade to RHACS 3.70.0.

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3672 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-23222 https://access.redhat.com/security/cve/CVE-2021-23820 https://access.redhat.com/security/cve/CVE-2021-25219 https://access.redhat.com/security/cve/CVE-2021-41190 https://access.redhat.com/security/cve/CVE-2022-1154 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/updates/classification/#moderate https://docs.openshift.com/acs/3.69/release_notes/370-release-notes.html

Package List

Severity
Advisory ID: RHSA-2022:4880-01
Product: RHACS
Advisory URL: https://access.redhat.com/errata/RHSA-2022:4880
Issued Date: : 2022-06-02
CVE Names: CVE-2018-25032 CVE-2021-3634 CVE-2021-3672 CVE-2021-3737 CVE-2021-4189 CVE-2021-23222 CVE-2021-23820 CVE-2021-25219 CVE-2021-41190 CVE-2022-1154 CVE-2022-1271

Topic

Updated images are now available for Red Hat Advanced Cluster Security forKubernetes (RHACS). The updated image includes bug fixes and featureimprovements.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2020369 - CVE-2021-23820 json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays

2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion

5. JIRA issues fixed (https://issues.jboss.org/):

ROX-11147 - Release RHACS 3.70.0

ROX-9625 - Central is susceptible to connection reuse issues when running on OpenShift

ROX-9902 - Generic webhook notifier with username/password not working

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.