-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Critical: Multicluster Engine for Kubernetes 2.2.3 security updates and bug fixes
Advisory ID:       RHSA-2023:1887-01
Product:           multicluster engine for Kubernetes
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1887
Issue date:        2023-04-19
CVE Names:         CVE-2022-4304 CVE-2022-4450 CVE-2022-25881 
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 
                   CVE-2023-0767 CVE-2023-23916 CVE-2023-29017 
                   CVE-2023-29199 CVE-2023-30547 
====================================================================
1. Summary:

Multicluster Engine for Kubernetes 2.2.3 General Availability release
images,
which fix bugs and security updates container images.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Multicluster Engine for Kubernetes 2.2.3 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fix(es):
* CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service
(ReDoS) vulnerability
* CVE-2023-29017 vm2: Sandbox Escape
* CVE-2023-29199 vm2: Sandbox Escape
* CVE-2023-30547 vm2: Sandbox Escape when exception sanitization

Jira issue addressed: 

* ACM-4346: MCE 2.2.3 images

3. Solution:

For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images: 

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

4. Bugs fixed (https://bugzilla.redhat.com/):

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
2185374 - CVE-2023-29017 vm2: sandbox escape
2187409 - CVE-2023-29199 vm2: Sandbox Escape
2187608 - CVE-2023-30547 vm2: Sandbox Escape when exception sanitization

5. References:

https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-25881
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0767
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/cve/CVE-2023-29017
https://access.redhat.com/security/cve/CVE-2023-29199
https://access.redhat.com/security/cve/CVE-2023-30547
https://access.redhat.com/security/updates/classification/#critical

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZEgujdzjgjWX9erEAQiiVBAAmrNu9+6xb5HWaG6n7avuGB9nliJVocVQ
RO+30PCLSnBKzyO3eMHqkCtiI1iuVqXWeB6Y7zcDD29pnU6WTuKAypMNwzVoGqMI
VVMbiGma+g4fnGmIZx4kKI5H+2fwPPO3ykSeOEnF+yYErNVZrWklUWXp8lGWxBq4
R3dEnzSZHvGaOMWxa/WnfOn0ESquvuShqQDe8TIEi40mO2W2Q+3ykPC8+GMvPWQo
0AHeafQ+ki2F0kct4YUF6flS8T6pQpe4uL6U5nJx8Tq6W6fkp0AQfpC5C0a07tPc
zCP6kWo2lkGD8lepQaf5oK9DKiowo1qgv9Mwwg+eiv5f9YSxJ2pN4TXKDHZ3xU2J
+237A47s7TiB7F+iJMELKyRr0BuUuBXkVBBWVIahLGm2xg3YlcUfWsirY2cWQwh8
KqX11JiU6q5Qyu+pVtRqLcgZkWFB0Gper9qCDDnq7cR65qSAkLltu/a7A8trZRt8
hfYESAlC+ztA6/d2D8yWoxoirRS4/zqYn6rxdeqMc24fEnUsNPKQLBX5R6d8g/tt
UHt0YO+kuCjqW1a3GOTGTEJl9z6Ib54SYLVkPD7QZzADj6IN6Vl7Cbw6SpjlCBgF
8u47uYIw0DdMcIsgM7xB5Jkw5gqRD89i5HV2lP11ByxX6GDgbId1LbtNHBAeCtqu
fcOQBy+PQX4=/g8T
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-1887:01 Critical: Multicluster Engine for Kubernetes 2.2.3

Multicluster Engine for Kubernetes 2.2.3 General Availability release images, which fix bugs and security updates container images

Summary

Multicluster Engine for Kubernetes 2.2.3 images
Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds.
You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Security fix(es): * CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability * CVE-2023-29017 vm2: Sandbox Escape * CVE-2023-29199 vm2: Sandbox Escape * CVE-2023-30547 vm2: Sandbox Escape when exception sanitization
Jira issue addressed:
* ACM-4346: MCE 2.2.3 images



Summary


Solution

For multicluster engine for Kubernetes, see the following documentation for details on how to install the images:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

References

https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-25881 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0767 https://access.redhat.com/security/cve/CVE-2023-23916 https://access.redhat.com/security/cve/CVE-2023-29017 https://access.redhat.com/security/cve/CVE-2023-29199 https://access.redhat.com/security/cve/CVE-2023-30547 https://access.redhat.com/security/updates/classification/#critical

Package List


Severity
Advisory ID: RHSA-2023:1887-01
Product: multicluster engine for Kubernetes
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1887
Issued Date: : 2023-04-19
CVE Names: CVE-2022-4304 CVE-2022-4450 CVE-2022-25881 CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 CVE-2023-0767 CVE-2023-23916 CVE-2023-29017 CVE-2023-29199 CVE-2023-30547

Topic

Multicluster Engine for Kubernetes 2.2.3 General Availability releaseimages,which fix bugs and security updates container images.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE links in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability

2185374 - CVE-2023-29017 vm2: sandbox escape

2187409 - CVE-2023-29199 vm2: Sandbox Escape

2187608 - CVE-2023-30547 vm2: Sandbox Escape when exception sanitization


Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved