Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3211 Red Hat Advanced Cluster Management 2.1.11 security fix and container updates 24 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Advanced Cluster Management 2.1.11 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-37750 CVE-2021-36222 CVE-2021-32399 CVE-2021-31535 CVE-2021-29650 CVE-2021-29154 CVE-2021-23017 CVE-2021-22924 CVE-2021-22923 CVE-2021-22922 CVE-2021-22555 CVE-2021-3653 CVE-2020-27777 Reference: ESB-2021.3206 ESB-2021.3168 ESB-2021.3147 ESB-2021.3114 ESB-2021.3070 ESB-2021.3050 ESB-2021.2290 ESB-2021.2217 ESB-2021.2216 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:3653 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Advanced Cluster Management 2.1.11 security fix and container updates Advisory ID: RHSA-2021:3653-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2021:3653 Issue date: 2021-09-23 CVE Names: CVE-2020-27777 CVE-2021-3653 CVE-2021-22555 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-23017 CVE-2021-29154 CVE-2021-29650 CVE-2021-31535 CVE-2021-32399 CVE-2021-36222 CVE-2021-37750 ===================================================================== 1. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.1.11 General Availability release images, which provide a security fix and update the container images. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Advanced Cluster Management for Kubernetes 2.1.11 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains updates to one or more container images for Red Hat Advanced Cluster Management for Kubernetes. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.1/html/release_notes/ Security fix: * management-ingress-container: nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name (CVE-2021-23017) For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Container updates: * RHACM 2.1.11 images (BZ# 1999375) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. *Important:* This upgrade of Red Hat Advanced Cluster Management for Kubernetes is not supported when you are running Red Hat Advanced Cluster Management on Red Hat OpenShift Container Platform version 4.5. To apply this upgrade, you must upgrade your OpenShift Container Platform version to 4.6, or later. For details on how to apply this update, refer to: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.1/html/install/installing#upgrading-by-using-the-op erator 4. Bugs fixed (https://bugzilla.redhat.com/): 1963121 - CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name 1999375 - RHACM 2.1.11 images 5. References: https://access.redhat.com/security/cve/CVE-2020-27777 https://access.redhat.com/security/cve/CVE-2021-3653 https://access.redhat.com/security/cve/CVE-2021-22555 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-23017 https://access.redhat.com/security/cve/CVE-2021-29154 https://access.redhat.com/security/cve/CVE-2021-29650 https://access.redhat.com/security/cve/CVE-2021-31535 https://access.redhat.com/security/cve/CVE-2021-32399 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYUy3Q9zjgjWX9erEAQghKQ//ScUdzD9Wj7hOPBGlzqP+Tzf6tshOs01y UhdZq+uYuiGU1DL1Cjxr5T34RQnOeGgJZpKbepPqiVjwv/81jKOyZ4i+EnLRLKZe ++nlB8jhCV0KSHf3lv07NacNhBavsxss8xjDiAnhNbfjJ6Uj9I80+pOzvfFwGfOb E2NOdEvn3IgJqCzi0zLJwej3EE34DthVddyb04ky6pNAJsM+rNyaSG8uT+kXyVtq HArqeW7J1FKOSnJE6mz9qOEUQUqRATCJQXJHAH+SgA0aXEpBwiYoQPZQobEBAQfy y5I2lIWOTJNJhTZ4UdEb3HFcQWJy4k6u4oRs3IAzx9GOG12RWFhAYZNkkQ0HkyHz aVDS9ljw205SjemT6OlFi6OvDZant9kSK0FNu9TgtDxueGv4f/MmdGcriGOFO4b0 a1lVI9eVXrJOea2hBM7UXcWSoytEwrACtoVwYGLhBUe3KadWHsUfG80AvbQbfJbD rn75PO95wada+CXL00nfEcYs5RjiaiUNZQ3JOYqRWqvGsrYil/rRHy1d3zvNMy5n NDnOs2StxpMJumAdk3kNPslx5t4yMeH6zS0+VxBEfUrRIppMroOPRJx9I6FWvWoF TdUVSgVoKXoetfEauykfdcNvL+WwQNNOWkwOvs70T2t2PvtqAOeK/TyiOS1RVmcX 43iuBNFpffE= =1qOw - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYU0lkeNLKJtyKPYoAQit/Q//bYv8OGAKqJptw51grjaO1JL99IDRATP2 WciDqqlak1FRpr3s2V20zKrkaSwh8ugzldokiZ/4ASFjk+sDyG1qLXgvZG64FgsQ 0Rjzaca2rQOf/uJtnnGBh1IYPuMdtH6cSt/tAK9TYkMuLNO1CLYmr03wJ8hJ8A2e OVrfz/PjyjIs65qCnnIyT9BQs7R6qhpUtolmwUUuJT7n4aJz4GokRATuAg46HO0w 4F6sQMqGa6KTbDYgU5nvlTaMVvwMM5Xgw5BbRfB445RcZukSyGxLndGEqhgosU8l UcqLBiKzvSKJ8XAla8XSKXWaLOwUMjrLEQe8rA+0lgfXRdV1AurPTLvJYhhJFKvE Kd3SraXVpfOYB4FnTqlM6u2no+fGxVv5hYZ2jWn15z+aE+5538vXjHAGW59Dg25S Yw1m5+02v7PgTp8E3ooLYEXtnNetWWrYV+ZhVNyFhxWbKml8H9n1u69tKewU2hYC rw2VDNv6NNZk+/in/nZgfytkZvxKEJLpMYamUCC46i6CfCI/Zdv5T4/HeFOEGxD7 jX5oL4M5KZ8Lgzjf4XjSMWcZCSQ6YzfAIr4VVKD0TPls80D/SMCJu8jVpKwMJuyE PVSY3aFVdp7FHm7Ih3FeXCF08b5EpCZoeJeZqg+8XE6LUQrIPKGlaSUuw1GB9P/L mEj1QEzdH+w= =goLI -----END PGP SIGNATURE-----