Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3211
Red Hat Advanced Cluster Management 2.1.11 security fix and
container updates
24 September 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Advanced Cluster Management 2.1.11
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Access Privileged Data -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-37750 CVE-2021-36222 CVE-2021-32399
CVE-2021-31535 CVE-2021-29650 CVE-2021-29154
CVE-2021-23017 CVE-2021-22924 CVE-2021-22923
CVE-2021-22922 CVE-2021-22555 CVE-2021-3653
CVE-2020-27777
Reference: ESB-2021.3206
ESB-2021.3168
ESB-2021.3147
ESB-2021.3114
ESB-2021.3070
ESB-2021.3050
ESB-2021.2290
ESB-2021.2217
ESB-2021.2216
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:3653
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Advanced Cluster Management 2.1.11 security fix and container updates
Advisory ID: RHSA-2021:3653-01
Product: Red Hat ACM
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3653
Issue date: 2021-09-23
CVE Names: CVE-2020-27777 CVE-2021-3653 CVE-2021-22555
CVE-2021-22922 CVE-2021-22923 CVE-2021-22924
CVE-2021-23017 CVE-2021-29154 CVE-2021-29650
CVE-2021-31535 CVE-2021-32399 CVE-2021-36222
CVE-2021-37750
=====================================================================
1. Summary:
Red Hat Advanced Cluster Management for Kubernetes 2.1.11 General
Availability release images, which provide a security fix and update the
container images.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat Advanced Cluster Management for Kubernetes 2.1.11 images
Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.
This advisory contains updates to one or more container images for Red Hat
Advanced Cluster Management for Kubernetes. See the following Release Notes
documentation, which will be updated shortly for this release, for
additional
details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana
gement_for_kubernetes/2.1/html/release_notes/
Security fix:
* management-ingress-container: nginx: Off-by-one in ngx_resolver_copy()
when labels are followed by a pointer to a root domain name
(CVE-2021-23017)
For more details about the security issue, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Container updates:
* RHACM 2.1.11 images (BZ# 1999375)
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
*Important:* This upgrade of Red Hat Advanced Cluster Management for
Kubernetes
is not supported when you are running Red Hat Advanced Cluster Management
on
Red Hat OpenShift Container Platform version 4.5. To apply this upgrade,
you
must upgrade your OpenShift Container Platform version to 4.6, or later.
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana
gement_for_kubernetes/2.1/html/install/installing#upgrading-by-using-the-op
erator
4. Bugs fixed (https://bugzilla.redhat.com/):
1963121 - CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name
1999375 - RHACM 2.1.11 images
5. References:
https://access.redhat.com/security/cve/CVE-2020-27777
https://access.redhat.com/security/cve/CVE-2021-3653
https://access.redhat.com/security/cve/CVE-2021-22555
https://access.redhat.com/security/cve/CVE-2021-22922
https://access.redhat.com/security/cve/CVE-2021-22923
https://access.redhat.com/security/cve/CVE-2021-22924
https://access.redhat.com/security/cve/CVE-2021-23017
https://access.redhat.com/security/cve/CVE-2021-29154
https://access.redhat.com/security/cve/CVE-2021-29650
https://access.redhat.com/security/cve/CVE-2021-31535
https://access.redhat.com/security/cve/CVE-2021-32399
https://access.redhat.com/security/cve/CVE-2021-36222
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYUy3Q9zjgjWX9erEAQghKQ//ScUdzD9Wj7hOPBGlzqP+Tzf6tshOs01y
UhdZq+uYuiGU1DL1Cjxr5T34RQnOeGgJZpKbepPqiVjwv/81jKOyZ4i+EnLRLKZe
++nlB8jhCV0KSHf3lv07NacNhBavsxss8xjDiAnhNbfjJ6Uj9I80+pOzvfFwGfOb
E2NOdEvn3IgJqCzi0zLJwej3EE34DthVddyb04ky6pNAJsM+rNyaSG8uT+kXyVtq
HArqeW7J1FKOSnJE6mz9qOEUQUqRATCJQXJHAH+SgA0aXEpBwiYoQPZQobEBAQfy
y5I2lIWOTJNJhTZ4UdEb3HFcQWJy4k6u4oRs3IAzx9GOG12RWFhAYZNkkQ0HkyHz
aVDS9ljw205SjemT6OlFi6OvDZant9kSK0FNu9TgtDxueGv4f/MmdGcriGOFO4b0
a1lVI9eVXrJOea2hBM7UXcWSoytEwrACtoVwYGLhBUe3KadWHsUfG80AvbQbfJbD
rn75PO95wada+CXL00nfEcYs5RjiaiUNZQ3JOYqRWqvGsrYil/rRHy1d3zvNMy5n
NDnOs2StxpMJumAdk3kNPslx5t4yMeH6zS0+VxBEfUrRIppMroOPRJx9I6FWvWoF
TdUVSgVoKXoetfEauykfdcNvL+WwQNNOWkwOvs70T2t2PvtqAOeK/TyiOS1RVmcX
43iuBNFpffE=
=1qOw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYU0lkeNLKJtyKPYoAQit/Q//bYv8OGAKqJptw51grjaO1JL99IDRATP2
WciDqqlak1FRpr3s2V20zKrkaSwh8ugzldokiZ/4ASFjk+sDyG1qLXgvZG64FgsQ
0Rjzaca2rQOf/uJtnnGBh1IYPuMdtH6cSt/tAK9TYkMuLNO1CLYmr03wJ8hJ8A2e
OVrfz/PjyjIs65qCnnIyT9BQs7R6qhpUtolmwUUuJT7n4aJz4GokRATuAg46HO0w
4F6sQMqGa6KTbDYgU5nvlTaMVvwMM5Xgw5BbRfB445RcZukSyGxLndGEqhgosU8l
UcqLBiKzvSKJ8XAla8XSKXWaLOwUMjrLEQe8rA+0lgfXRdV1AurPTLvJYhhJFKvE
Kd3SraXVpfOYB4FnTqlM6u2no+fGxVv5hYZ2jWn15z+aE+5538vXjHAGW59Dg25S
Yw1m5+02v7PgTp8E3ooLYEXtnNetWWrYV+ZhVNyFhxWbKml8H9n1u69tKewU2hYC
rw2VDNv6NNZk+/in/nZgfytkZvxKEJLpMYamUCC46i6CfCI/Zdv5T4/HeFOEGxD7
jX5oL4M5KZ8Lgzjf4XjSMWcZCSQ6YzfAIr4VVKD0TPls80D/SMCJu8jVpKwMJuyE
PVSY3aFVdp7FHm7Ih3FeXCF08b5EpCZoeJeZqg+8XE6LUQrIPKGlaSUuw1GB9P/L
mEj1QEzdH+w=
=goLI
-----END PGP SIGNATURE-----