RedHat: RHSA-2022-6370:01 Moderate: Red Hat Advanced Cluster Management
Summary
Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images
Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.
This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix security issues and several bugs. See
the following Release Notes documentation, which will be updated shortly
for this
release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/
Security fixes:
* CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
* CVE-2022-30629 golang: crypto/tls: session tickets lack random
ticket_age_add
* CVE-2022-1705 golang: net/http: improper sanitization of
Transfer-Encoding header
* CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
* CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
* CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
* CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
* CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
* CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
* CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy -
omit X-Forwarded-For not working
Bug fixes:
* assisted-service repo pin-latest.py script should allow custom tags to be
pinned (BZ# 2065661)
* assisted-service-build image is too big in size (BZ# 2066059)
* assisted-service pin-latest.py script should exclude the postgres image
(BZ# 2076901)
* PXE artifacts need to be served via HTTP (BZ# 2078531)
* Implementing new service-agent protocol on agent side (BZ# 2081281)
* RHACM 2.6.0 images (BZ# 2090906)
* Assisted service POD keeps crashing after a bare metal host is created
(BZ# 2093503)
* Assisted service triggers the worker nodes re-provisioning on the hub
cluster when the converged flow is enabled (BZ# 2096106)
* Fix assisted CI jobs that fail for cluster-info readiness (BZ# 2097696)
* Nodes are required to have installation disks of at least 120GB instead
of at minimum of 100GB (BZ# 2099277)
* The pre-selected search keyword is not readable (BZ# 2107736)
* The value of label expressions in the new placement for policy and
policysets cannot be shown real-time from UI (BZ# 2111843)
Summary
Solution
For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on installing this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing
References
https://access.redhat.com/security/cve/CVE-2022-1012 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-2526 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/cve/CVE-2022-32250 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
Red Hat Advanced Cluster Management for Kubernetes 2.6.0 GeneralAvailability release images, which fix security issues and bugs.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE links in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
2065661 - assisted-service repo pin-latest.py script should allow custom tags to be pinned
2066059 - assisted-service-build image is too big in size
2076901 - assisted-service pin-latest.py script should exclude the postgres image
2078531 - iPXE artifacts need to be served via HTTP
2081281 - Implementing new service-agent protocol on agent side
2090901 - Capital letters in install-config.yaml .platform.baremetal.hosts[].name cause bootkube errors2090906 - RHACM 2.6.0 images
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2093503 - Assisted service POD keeps crashing after a bare metal host is created
2096106 - Assisted service triggers the worker nodes re-provisioning on the hub cluster when the converged flow is enabled
2096445 - Assisted service POD keeps crashing after a bare metal host is created
2096460 - Spoke BMH stuck "inspecting" when deployed via the converged workflow
2097696 - Fix assisted CI jobs that fail for cluster-info readiness
2099277 - Nodes are required to have installation disks of at least 120GB instead of at minimum of 100GB
2103703 - Automatic version upgrade triggered for oadp operator installed by cluster-backup-chart
2104117 - Spoke BMH stuck ?available? after changing a BIOS attribute via the converged workflow
2104984 - Infrastructure operator missing clusterrole permissions for interacting with mutatingwebhookconfigurations
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2105339 - Search Application button on the Application Table for Subscription applications does not Redirect
2105357 - [UI] hypershift cluster creation error - n[0] is undefined
2106347 - Submariner error looking up service account submariner-operator/submariner-addon-sa
2106882 - Security Context Restrictions are restricting creation of some pods which affects the deployment of some applications
2107049 - The clusterrole for global clusterset did not created by default
2107065 - governance-policy-framework in CrashLoopBackOff state on spoke cluster: Failed to start manager {"error": "error listening on :8081: listen tcp :8081: bind: address already in use"}
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107370 - Helm Release resource recreation feature does not work with the local cluster
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
2108888 - Hypershift on AWS - control plane not running
2109370 - The button to create the cluster is not visible
2111203 - Add ocp 4.11 to filters for discovering clusters in ACM 2.6
2111218 - Create cluster - Infrastructure page crashes
2111651 - "View application" button on app table for Flux applications redirects to apiVersion=ocp instead of flux
2111663 - Hosted cluster in Pending import state
2111671 - Leaked namespaces after deleting hypershift deployment
2111770 - [ACM 2.6] there is no node info for remote cluster in multiple hubs
2111843 - The value of label expressions in the new placement for policy and policysets cannot be shown real-time from UI
2112180 - The policy page is crashed after input keywords in the search box
2112281 - config-policy-controller pod can't startup in the OCP3.11 managed cluster
2112318 - Can't delete the objects which are re-created by policy when deleting the policy
2112321 - BMAC reconcile loop never stops after changes
2112426 - No cluster discovered due to x509: certificate signed by unknown authority
2112478 - Value of delayAfterRunSeconds is not shown on the final submit panel and the word itself should not be wrapped.
2112793 - Can't view details of the policy template when set the spec.pruneObjectBehavior as unsupported value
2112803 - ClusterServiceVersion for release 2.6 branch references "latest" tag
2113787 - [ACM 2.6] can not delete namespaces after detaching the hosted cluster
2113838 - the cluster proxy-agent was deployed on the non-infra nodes
2113842 - [ACM 2.6] must restart hosting cluster registration pod if update work-manager-addon cr to change installNamespace
2114982 - Control plane type shows 'Standalone' for hypershift cluster
2115622 - Hub fromsecret function doesn't work for hosted mode in multiple hub
2115723 - Can't view details of the policy template for customer and hypershift cluster in hosted mode from UI
2115993 - Policy automation details panel was not updated after editing the mode back to disabled
2116211 - Count of violations with unknown status was not accurate when managed clusters have mixed status
2116329 - cluster-proxy-agent not startup due to the imagepullbackoff on spoke cluster
2117113 - The proxy-server-host was not correct in cluster-proxy-agent
2117187 - pruneObjectBehavior radio selection cannot work well and always switch the first one template in multiple configurationPolicy templates
2117480 - [ACM 2.6] infra-id of HypershiftDeployment doesn't work
2118338 - Report the "namespace not found" error after clicked view yaml link of a policy in the multiple hub env
2119326 - Can't view details of the SecurityContextConstraints policy for managed clusters from UI