-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Critical: Multicluster Engine for Kubernetes 2.2.3 security updates and bug fixes
Advisory ID:       RHSA-2023:1887-01
Product:           multicluster engine for Kubernetes
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1887
Issue date:        2023-04-19
CVE Names:         CVE-2022-4304 CVE-2022-4450 CVE-2022-25881 
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 
                   CVE-2023-0767 CVE-2023-23916 CVE-2023-29017 
                   CVE-2023-29199 CVE-2023-30547 
====================================================================
1. Summary:

Multicluster Engine for Kubernetes 2.2.3 General Availability release
images,
which fix bugs and security updates container images.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Multicluster Engine for Kubernetes 2.2.3 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fix(es):
* CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service
(ReDoS) vulnerability
* CVE-2023-29017 vm2: Sandbox Escape
* CVE-2023-29199 vm2: Sandbox Escape
* CVE-2023-30547 vm2: Sandbox Escape when exception sanitization

Jira issue addressed: 

* ACM-4346: MCE 2.2.3 images

3. Solution:

For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images: 

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

4. Bugs fixed (https://bugzilla.redhat.com/):

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
2185374 - CVE-2023-29017 vm2: sandbox escape
2187409 - CVE-2023-29199 vm2: Sandbox Escape
2187608 - CVE-2023-30547 vm2: Sandbox Escape when exception sanitization

5. References:

https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-25881
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0767
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/cve/CVE-2023-29017
https://access.redhat.com/security/cve/CVE-2023-29199
https://access.redhat.com/security/cve/CVE-2023-30547
https://access.redhat.com/security/updates/classification/#critical

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZEgujdzjgjWX9erEAQiiVBAAmrNu9+6xb5HWaG6n7avuGB9nliJVocVQ
RO+30PCLSnBKzyO3eMHqkCtiI1iuVqXWeB6Y7zcDD29pnU6WTuKAypMNwzVoGqMI
VVMbiGma+g4fnGmIZx4kKI5H+2fwPPO3ykSeOEnF+yYErNVZrWklUWXp8lGWxBq4
R3dEnzSZHvGaOMWxa/WnfOn0ESquvuShqQDe8TIEi40mO2W2Q+3ykPC8+GMvPWQo
0AHeafQ+ki2F0kct4YUF6flS8T6pQpe4uL6U5nJx8Tq6W6fkp0AQfpC5C0a07tPc
zCP6kWo2lkGD8lepQaf5oK9DKiowo1qgv9Mwwg+eiv5f9YSxJ2pN4TXKDHZ3xU2J
+237A47s7TiB7F+iJMELKyRr0BuUuBXkVBBWVIahLGm2xg3YlcUfWsirY2cWQwh8
KqX11JiU6q5Qyu+pVtRqLcgZkWFB0Gper9qCDDnq7cR65qSAkLltu/a7A8trZRt8
hfYESAlC+ztA6/d2D8yWoxoirRS4/zqYn6rxdeqMc24fEnUsNPKQLBX5R6d8g/tt
UHt0YO+kuCjqW1a3GOTGTEJl9z6Ib54SYLVkPD7QZzADj6IN6Vl7Cbw6SpjlCBgF
8u47uYIw0DdMcIsgM7xB5Jkw5gqRD89i5HV2lP11ByxX6GDgbId1LbtNHBAeCtqu
fcOQBy+PQX4=/g8T
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-1887:01 Critical: Multicluster Engine for Kubernetes 2.2.3

Multicluster Engine for Kubernetes 2.2.3 General Availability release images, which fix bugs and security updates container images

Summary

Multicluster Engine for Kubernetes 2.2.3 images
Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds.
You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Security fix(es): * CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability * CVE-2023-29017 vm2: Sandbox Escape * CVE-2023-29199 vm2: Sandbox Escape * CVE-2023-30547 vm2: Sandbox Escape when exception sanitization
Jira issue addressed:
* ACM-4346: MCE 2.2.3 images



Summary


Solution

For multicluster engine for Kubernetes, see the following documentation for details on how to install the images:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

References

https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-25881 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0767 https://access.redhat.com/security/cve/CVE-2023-23916 https://access.redhat.com/security/cve/CVE-2023-29017 https://access.redhat.com/security/cve/CVE-2023-29199 https://access.redhat.com/security/cve/CVE-2023-30547 https://access.redhat.com/security/updates/classification/#critical

Package List


Severity
Advisory ID: RHSA-2023:1887-01
Product: multicluster engine for Kubernetes
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1887
Issued Date: : 2023-04-19
CVE Names: CVE-2022-4304 CVE-2022-4450 CVE-2022-25881 CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 CVE-2023-0767 CVE-2023-23916 CVE-2023-29017 CVE-2023-29199 CVE-2023-30547

Topic

Multicluster Engine for Kubernetes 2.2.3 General Availability releaseimages,which fix bugs and security updates container images.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE links in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability

2185374 - CVE-2023-29017 vm2: sandbox escape

2187409 - CVE-2023-29199 vm2: Sandbox Escape

2187608 - CVE-2023-30547 vm2: Sandbox Escape when exception sanitization


Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo