RedHat: RHSA-2022-6345:01 Moderate: Multicluster Engine for Kuberne...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Multicluster Engine for Kubernetes 2.1 security updates and bug fixes
Advisory ID:       RHSA-2022:6345-01
Product:           multicluster engine for Kubernetes
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6345
Issue date:        2022-09-06
CVE Names:         CVE-2022-1292 CVE-2022-1586 CVE-2022-1705 
                   CVE-2022-1962 CVE-2022-2068 CVE-2022-2097 
                   CVE-2022-2526 CVE-2022-28131 CVE-2022-29154 
                   CVE-2022-30629 CVE-2022-30630 CVE-2022-30631 
                   CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 
                   CVE-2022-31129 CVE-2022-32148 CVE-2022-32206 
                   CVE-2022-32208 
=====================================================================

1. Summary:

Multicluster Engine v2.1

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Multicluster engine for Kubernetes 2.1 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fixes:

* CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

* CVE-2022-1705 golang: net/https: improper sanitization of
Transfer-Encoding header

* CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

* CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

* CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

* CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

* CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

* CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

* CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy -
omit X-Forwarded-For not working

* CVE-2022-30629 golang: crypto/tls: session tickets lack random
ticket_age_add

Bug fixes:

* MCE 2.1.0 Images (BZ# 2090907)

* cluster-proxy-agent not able to startup (BZ# 2109394)

* Create cluster button skips Infrastructure page, shows blank page (BZ#
2110713)

* AWS Icon sometimes doesn't show up in create cluster wizard (BZ# 2110734)

* Infrastructure descriptions in create cluster catalog should be
consistent and clear (BZ# 2110811)

* The user with clusterset view permission should not able to update the
namespace binding with the pencil icon on clusterset details page (BZ#
2111483)

* hypershift cluster creation -> not all agent labels are shown in the node
pools screen (BZ# 2112326)

* CIM - SNO expansion, worker node status incorrect (BZ# 2114735)

* Wizard fields are not pre-filled after picking credentials (BZ# 2117163)

* ManagedClusterImageRegistry CR is wrong in pure MCE env

3. Solution:

For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/multicluster_engine/install_upgrade/installing-while-connected-online-mce

4. Bugs fixed (https://bugzilla.redhat.com/):

2090907 - MCE 2.1.0 Images
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/https: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
2109394 - cluster-proxy-agent not able to startup
2111483 - The user with clusterset view permission should not able to update the namespace binding with the pencil icon on clusterset details page
2112326 - [UI] hypershift cluster creation -> not all agent labels are shown in the node pools screen
2114735 - [UI] CIM - SNO expansion, worker node status incorrect
2117163 - [UI] Wizard fields are not pre-filled after picking credentials
2117447 - [ACM 2.6] ManagedClusterImageRegistry CR is wrong in pure MCE env

5. References:

https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2526
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-31129
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYxd1PNzjgjWX9erEAQh7HA//fT5iA3HhDII5vYRpRaOLoXR2cczIDvlC
WV6jZ4or3aPhJVrr+SI2HVNOLyFXcHswnuwbESf0IKUQcV1DfeCp5spuenYRaBv9
Sl3aho5eNriBhttGYovshlMSEwhfIYeRO5tHRe0cmr30e/UKf81oUFKR+4I7Ub3P
nANV5JX2xMj2vXZR9jD/hHPu6m+3q9dQisNGXv3vXhyxGgeOVzVNg8fKt9KyE5sY
rbx5a5FcIvkxkePY18JqJdJbNR/bkxJFsLX0N0koJR1OPyyvzZxq03vaPJksJQIp
cpuYVW5zA1jYH9LkOh//BJyM+uYrpDDs+e0SzGOKloXmSJ7jN8P9jfGQo/3wRV1i
8QityhTmb9Or5abE3czeqYdTLxIssLkpxNOnPpdYuhVxK/NXCRvrtGpwb1Uqn5NI
mw2kiIvFW3751GwwzxGau/8cwF9XoJZHsm9G9CaGexqgZV0p6ZqXybH1dr3MqQix
57QYFgX3jwJt516dBibxARKAAeVYnAuLH5y21NyA8zhBtTT+26qgWKWxme7FQJFM
fBIF/yopoWDZCMw4mkznupMFP5soixuYVBz9X3ftIBbYuJ3Y5fjQfaiUi/zi0B+c
maBncWDxlVu0p4vtwNZx3fk6QxP0uaRFJdJY91fSW0JFoaDa8NVBwXkw7aBIPbMX
Da5a/9G9+eU=
=oVuT
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6345:01 Moderate: Multicluster Engine for Kubernetes 2.1

Multicluster Engine v2.1 Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Multicluster engine for Kubernetes 2.1 images
Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds.
You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Security fixes:
* CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
* CVE-2022-1705 golang: net/https: improper sanitization of Transfer-Encoding header
* CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
* CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
* CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
* CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
* CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
* CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
* CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
* CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
Bug fixes:
* MCE 2.1.0 Images (BZ# 2090907)
* cluster-proxy-agent not able to startup (BZ# 2109394)
* Create cluster button skips Infrastructure page, shows blank page (BZ# 2110713)
* AWS Icon sometimes doesn't show up in create cluster wizard (BZ# 2110734)
* Infrastructure descriptions in create cluster catalog should be consistent and clear (BZ# 2110811)
* The user with clusterset view permission should not able to update the namespace binding with the pencil icon on clusterset details page (BZ# 2111483)
* hypershift cluster creation -> not all agent labels are shown in the node pools screen (BZ# 2112326)
* CIM - SNO expansion, worker node status incorrect (BZ# 2114735)
* Wizard fields are not pre-filled after picking credentials (BZ# 2117163)
* ManagedClusterImageRegistry CR is wrong in pure MCE env

Solution

For multicluster engine for Kubernetes, see the following documentation fordetails on how to install the images:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/multicluster_engine/install_upgrade/installing-while-connected-online-mce

References

https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-2526 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:6345-01
Product: multicluster engine for Kubernetes
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6345
Issued Date: : 2022-09-06
CVE Names: CVE-2022-1292 CVE-2022-1586 CVE-2022-1705 CVE-2022-1962 CVE-2022-2068 CVE-2022-2097 CVE-2022-2526 CVE-2022-28131 CVE-2022-29154 CVE-2022-30629 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-31129 CVE-2022-32148 CVE-2022-32206 CVE-2022-32208

Topic

Multicluster Engine v2.1Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2090907 - MCE 2.1.0 Images

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add

2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

2107374 - CVE-2022-1705 golang: net/https: improper sanitization of Transfer-Encoding header

2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

2109394 - cluster-proxy-agent not able to startup

2111483 - The user with clusterset view permission should not able to update the namespace binding with the pencil icon on clusterset details page

2112326 - [UI] hypershift cluster creation -> not all agent labels are shown in the node pools screen

2114735 - [UI] CIM - SNO expansion, worker node status incorrect

2117163 - [UI] Wizard fields are not pre-filled after picking credentials

2117447 - [ACM 2.6] ManagedClusterImageRegistry CR is wrong in pure MCE env

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.