RedHat: RHSA-2023-0631:01 Moderate: RHSA: Submariner 0.14 - bug fix...

What Are You Looking For?

Popular Tags

Contribute
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: RHSA: Submariner 0.14 - bug fix and security updates
Advisory ID:       RHSA-2023:0631-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0631
Issue date:        2023-02-07
CVE Names:         CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 
                   CVE-2021-46848 CVE-2022-1304 CVE-2022-2509 
                   CVE-2022-2601 CVE-2022-2880 CVE-2022-3515 
                   CVE-2022-3775 CVE-2022-3787 CVE-2022-3821 
                   CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 
                   CVE-2022-22662 CVE-2022-26700 CVE-2022-26709 
                   CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 
                   CVE-2022-26719 CVE-2022-27664 CVE-2022-30293 
                   CVE-2022-30698 CVE-2022-30699 CVE-2022-35737 
                   CVE-2022-37434 CVE-2022-40303 CVE-2022-40304 
                   CVE-2022-40674 CVE-2022-41715 CVE-2022-41717 
                   CVE-2022-41974 CVE-2022-42010 CVE-2022-42011 
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-43680 
=====================================================================

1. Summary:

Submariner 0.14 packages that fix various bugs and add various enhancements
that are now available for Red Hat Advanced Cluster Management for
Kubernetes version 2.7

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Submariner enables direct networking between pods and services on different
Kubernetes clusters that are either on-premises or in the cloud.

For more information about Submariner, see the Submariner open source
community website at: https://submariner.io/.

This advisory contains bug fixes and enhancements to the Submariner
container images.

Security fixes:

* CVE-2022-27664 golang: net/https: handle server errors after sending
GOAWAY
* CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward
unparseable query parameters
* CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing
regexps
* CVE-2022-41717 golang: net/https: An attacker can cause excessive memory
growth in a Go server accepting HTTP/2 requests

Bugs addressed:

* subctl diagnose firewall metrics does not work on merged kubeconfig (BZ#
2013711)
* [Submariner] - Fails to increase gateway amount after deployment (BZ#
2097381)
* Submariner gateway node does not get deleted with subctl cloud cleanup
command (BZ# 2108634)
* submariner GW pods are unable to resolve the DNS of the Broker K8s API
URL (BZ# 2119362)
* Submariner gateway node does not get deployed after applying
ManagedClusterAddOn on Openstack (BZ# 2124219)
* unable to run subctl benchmark latency, pods fail with ImagePullBackOff
(BZ# 2130326)
* [IBM Z] - Submariner addon unistallation doesnt work from ACM console
(BZ# 2136442)
* Tags on AWS security group for gateway node break cloud-controller
LoadBalancer (BZ# 2139477)
* RHACM - Submariner: UI support for OpenStack #19297 (ACM-1242)
* Submariner OVN support (ACM-1358)
* Submariner Azure Console support (ACM-1388)
* ManagedClusterSet consumers migrate to v1beta2 (ACM-1614)
* Submariner on disconnected ACM #22000 (ACM-1678)
* Submariner gateway: Error creating AWS security group if already exists
(ACM-2055)
* Submariner gateway security group in AWS not deleted when uninstalling
submariner (ACM-2057)
* The submariner-metrics-proxy pod pulls an image with wrong naming
convention (ACM-2058)
* The submariner-metrics-proxy pod is not part of the Agent readiness check
(ACM-2067)
* Subctl 0.14.0 prints version "vsubctl" (ACM-2132)
* managedclusters "local-cluster" not found and missing Submariner Broker
CRD (ACM-2145)
* Add support of ARO to Submariner deployment (ACM-2150)
* The e2e tests execution fails for "Basic TCP connectivity" tests
(ACM-2204)
* Gateway error shown "diagnose all" tests (ACM-2206)
* Submariner does not support cluster "kube-proxy ipvs mode"(ACM-2211)
* Vsphere cluster shows Pod Security admission controller warnings
(ACM-2256)
* Cannot use submariner with OSP and self signed certs (ACM-2274)
* Subctl diagnose tests spawn nettest image with wrong tag nameing
convention (ACM-2387)
* Subctl 0.14.1 prints version "devel" (ACM-2482)

3. Solution:

For details on how to install Submariner, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/submariner#deploying-submariner-console

and

https://submariner.io/getting-started/

4. Bugs fixed (https://bugzilla.redhat.com/):

2013711 - subctl diagnose firewall metrics does not work on merged kubeconfig
2097381 - [Submariner] - Fails to increase gateway amount after deployment
2108634 - Submariner gateway node does not get deleted with subctl cloud cleanup command
2119362 - submariner GW pods are unable to resolve the DNS of the Broker K8s API URL
2124219 - Submariner gateway node does not get deployed after applying ManagedClusterAddOn on Openstack
2124669 - CVE-2022-27664 golang: net/https: handle server errors after sending GOAWAY
2130326 - unable to run subctl benchmark latency, pods fail with ImagePullBackOff
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2136442 - [IBM Z] - Submariner addon unistallation doesnt work from ACM console
2139477 - Tags on AWS security group for gateway node break cloud-controller LoadBalancer
2161274 - CVE-2022-41717 golang: net/https: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

ACM-1614 - ManagedClusterSet consumers migrate to v1beta2 (Submariner)
ACM-2055 - Submariner gateway: Error creating AWS security group if already exists
ACM-2057 - [Submariner] - submariner gateway security group in aws not deleted when uninstalling submariner
ACM-2058 - [Submariner] - The submariner-metrics-proxy pod pulls an image with wrong naming convention
ACM-2067 - [Submariner] - The submariner-metrics-proxy pod is not part of the Agent readiness check
ACM-2132 - Subctl 0.14.0 prints version "vsubctl"
ACM-2145 - managedclusters "local-cluster" not found and missing Submariner Broker CRD
ACM-2150 - Add support of ARO to Submariner deployment
ACM-2204 - [Submariner] - e2e tests execution fails for "Basic TCP connectivity" tests
ACM-2206 - [Submariner] - Gateway error shown "diagnose all" tests
ACM-2211 - [Submariner] - Submariner does not support cluster "kube-proxy ipvs mode"
ACM-2256 - [Submariner] - Vsphere cluster shows Pod Security admission controller warnings
ACM-2274 - Cannot use submariner with OSP and self signed certs
ACM-2387 - [Submariner] - subctl diagnose tests spawn nettest image with wrong tag nameing convention
ACM-2482 - Subctl 0.14.1 prints version "devel"

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-2601
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-3775
https://access.redhat.com/security/cve/CVE-2022-3787
https://access.redhat.com/security/cve/CVE-2022-3821
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-30698
https://access.redhat.com/security/cve/CVE-2022-30699
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-40674
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-41974
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY+LB1tzjgjWX9erEAQiPsw/+J1ph9Ln7bO4/Jt0ie3sFPbfrNMVbiZDi
1wgCRWRzAYhd6+Q+z6P24odBkK/BQ1FBPyEce+Qu5kv9HvkkoBLBdNpJystHa6Iu
Klko6xpu7wvKIdrTEG94raRXEMsb0LNo5XmRTwz9ZKJrVcAc4p6ncZU0/QOvUEG2
ZyJvhnWlXUnF/v4p8+zuxI4zk+ORrcTB4KmM5sznH9odE81dEiDPDc3bZ7H7J2B8
2gddNftX79tddSoJxdifYN8fSccCrgKDxkqglFq/0iR0wEFy1gZt9df7iGo4M8PI
gSt2d+Xbf+0M7YNcO95qn2lstNGg5MFuFknEwNpbACkfboZvGGjgTOr2A0ja88Rk
y2/5Ewcm0wwHaxGxJJoE+6iX1+/iNJ7Hlb2fdVInJbfUu7nx9biRfz7y7Ug1uKm/
6aTTI+1LkQk+OKA/HVOUKZAEobH7AveyAgeBB8ZsudrxNpr3ZWXfBv2od/ASFmLs
2efw/jfzN6M/aPX+1/W1P2OzVMouqw9OynM9maTYZRn68qU1xdecitwZUEnas8Kb
1Qa77SYdt17fm1C1gQMrSOKR511UfO3YqB5lk+aN2jTieJQzja7TPxVlitT03Ki/
eitRA6GzmapTv0YmJhfNxyw1mYCP5pFQAzQpvdtZ/YzLzdkReG/UQwchsy9D9P++
vk0ihN3II/8=
=lKLA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-0631:01 Moderate: RHSA: Submariner 0.14 - bug fix and

Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Produc...

Summary

Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud.
For more information about Submariner, see the Submariner open source community website at: https://submariner.io/.
This advisory contains bug fixes and enhancements to the Submariner container images.
Security fixes:
* CVE-2022-27664 golang: net/https: handle server errors after sending GOAWAY * CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps * CVE-2022-41717 golang: net/https: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
Bugs addressed:
* subctl diagnose firewall metrics does not work on merged kubeconfig (BZ# 2013711) * [Submariner] - Fails to increase gateway amount after deployment (BZ# 2097381) * Submariner gateway node does not get deleted with subctl cloud cleanup command (BZ# 2108634) * submariner GW pods are unable to resolve the DNS of the Broker K8s API URL (BZ# 2119362) * Submariner gateway node does not get deployed after applying ManagedClusterAddOn on Openstack (BZ# 2124219) * unable to run subctl benchmark latency, pods fail with ImagePullBackOff (BZ# 2130326) * [IBM Z] - Submariner addon unistallation doesnt work from ACM console (BZ# 2136442) * Tags on AWS security group for gateway node break cloud-controller LoadBalancer (BZ# 2139477) * RHACM - Submariner: UI support for OpenStack #19297 (ACM-1242) * Submariner OVN support (ACM-1358) * Submariner Azure Console support (ACM-1388) * ManagedClusterSet consumers migrate to v1beta2 (ACM-1614) * Submariner on disconnected ACM #22000 (ACM-1678) * Submariner gateway: Error creating AWS security group if already exists (ACM-2055) * Submariner gateway security group in AWS not deleted when uninstalling submariner (ACM-2057) * The submariner-metrics-proxy pod pulls an image with wrong naming convention (ACM-2058) * The submariner-metrics-proxy pod is not part of the Agent readiness check (ACM-2067) * Subctl 0.14.0 prints version "vsubctl" (ACM-2132) * managedclusters "local-cluster" not found and missing Submariner Broker CRD (ACM-2145) * Add support of ARO to Submariner deployment (ACM-2150) * The e2e tests execution fails for "Basic TCP connectivity" tests (ACM-2204) * Gateway error shown "diagnose all" tests (ACM-2206) * Submariner does not support cluster "kube-proxy ipvs mode"(ACM-2211) * Vsphere cluster shows Pod Security admission controller warnings (ACM-2256) * Cannot use submariner with OSP and self signed certs (ACM-2274) * Subctl diagnose tests spawn nettest image with wrong tag nameing convention (ACM-2387) * Subctl 0.14.1 prints version "devel" (ACM-2482)

Solution

For details on how to install Submariner, refer to:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/submariner#deploying-submariner-consoleandhttps://submariner.io/getting-started/

References

https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2020-35525 https://access.redhat.com/security/cve/CVE-2020-35527 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-2601 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-3775 https://access.redhat.com/security/cve/CVE-2022-3787 https://access.redhat.com/security/cve/CVE-2022-3821 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-30698 https://access.redhat.com/security/cve/CVE-2022-30699 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-40674 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41974 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-43680 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2023:0631-01
Product: Red Hat ACM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0631
Issued Date: : 2023-02-07
CVE Names: CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 CVE-2021-46848 CVE-2022-1304 CVE-2022-2509 CVE-2022-2601 CVE-2022-2880 CVE-2022-3515 CVE-2022-3775 CVE-2022-3787 CVE-2022-3821 CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-27664 CVE-2022-30293 CVE-2022-30698 CVE-2022-30699 CVE-2022-35737 CVE-2022-37434 CVE-2022-40303 CVE-2022-40304 CVE-2022-40674 CVE-2022-41715 CVE-2022-41717 CVE-2022-41974 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 CVE-2022-43680

Topic

Submariner 0.14 packages that fix various bugs and add various enhancementsthat are now available for Red Hat Advanced Cluster Management forKubernetes version 2.7Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE links in the References section.

Relevant Releases Architectures

Bugs Fixed

2013711 - subctl diagnose firewall metrics does not work on merged kubeconfig

2097381 - [Submariner] - Fails to increase gateway amount after deployment

2108634 - Submariner gateway node does not get deleted with subctl cloud cleanup command

2119362 - submariner GW pods are unable to resolve the DNS of the Broker K8s API URL

2124219 - Submariner gateway node does not get deployed after applying ManagedClusterAddOn on Openstack

2124669 - CVE-2022-27664 golang: net/https: handle server errors after sending GOAWAY

2130326 - unable to run subctl benchmark latency, pods fail with ImagePullBackOff

2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters

2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps

2136442 - [IBM Z] - Submariner addon unistallation doesnt work from ACM console

2139477 - Tags on AWS security group for gateway node break cloud-controller LoadBalancer

2161274 - CVE-2022-41717 golang: net/https: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

ACM-1614 - ManagedClusterSet consumers migrate to v1beta2 (Submariner)

ACM-2055 - Submariner gateway: Error creating AWS security group if already exists

ACM-2057 - [Submariner] - submariner gateway security group in aws not deleted when uninstalling submariner

ACM-2058 - [Submariner] - The submariner-metrics-proxy pod pulls an image with wrong naming convention

ACM-2067 - [Submariner] - The submariner-metrics-proxy pod is not part of the Agent readiness check

ACM-2132 - Subctl 0.14.0 prints version "vsubctl"

ACM-2145 - managedclusters "local-cluster" not found and missing Submariner Broker CRD

ACM-2150 - Add support of ARO to Submariner deployment

ACM-2204 - [Submariner] - e2e tests execution fails for "Basic TCP connectivity" tests

ACM-2206 - [Submariner] - Gateway error shown "diagnose all" tests

ACM-2211 - [Submariner] - Submariner does not support cluster "kube-proxy ipvs mode"

ACM-2256 - [Submariner] - Vsphere cluster shows Pod Security admission controller warnings

ACM-2274 - Cannot use submariner with OSP and self signed certs

ACM-2387 - [Submariner] - subctl diagnose tests spawn nettest image with wrong tag nameing convention

ACM-2482 - Subctl 0.14.1 prints version "devel"

Related News

5 Best free to use Linux Server distributions for 2023

Red Hat Expands Expansion of its Open Solutions on AWS

Sway 1.8-rc1 Wayland Compositor Brings More Secure Screen Lockers, Improved Vulkan Code

Data Scientists Dial Back Use of Open Source Code Due to Security Worries

News

Advisories

HOWTOs

Features

Interview with Guardian Digital CEO Dave Wreski: Open Source Utilization in Email Security Solutions & More
Verifying Linux Server Security: What Every Admin Needs to Know
What Linux, Windows & Mac OS Users Need to Know About VPNs
Complete Guide to Vulnerability Basics
How To Get Live Updates on Critical Linux Security Advisories

About Us

Powered By

Footer Logo

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

Learn More About Our Cookie Policy