Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.3060 Red Hat Advanced Cluster Management 2.6.6 security fixes and container 29 May 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Advanced Cluster Management Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-32314 CVE-2023-32313 CVE-2023-29007 CVE-2023-28856 CVE-2023-27535 CVE-2023-25815 CVE-2023-25652 CVE-2023-23946 CVE-2023-23454 CVE-2023-22490 CVE-2023-1999 CVE-2023-1582 CVE-2023-1195 CVE-2023-0461 CVE-2023-0394 CVE-2023-0361 CVE-2022-47929 CVE-2022-43750 CVE-2022-43552 CVE-2022-42722 CVE-2022-42721 CVE-2022-42720 CVE-2022-42703 CVE-2022-41674 CVE-2022-41218 CVE-2022-39189 CVE-2022-39188 CVE-2022-36227 CVE-2022-35252 CVE-2022-30594 CVE-2022-25265 CVE-2022-20141 CVE-2022-4129 CVE-2022-3970 CVE-2022-3707 CVE-2022-3628 CVE-2022-3627 CVE-2022-3625 CVE-2022-3623 CVE-2022-3619 CVE-2022-3567 CVE-2022-3566 CVE-2022-3564 CVE-2022-3524 CVE-2022-3522 CVE-2022-3239 CVE-2022-3028 CVE-2022-2663 CVE-2022-2196 CVE-2022-1789 CVE-2022-1679 CVE-2022-1462 CVE-2021-33656 CVE-2021-33655 CVE-2021-26341 Original Bulletin: https://access.redhat.com/errata/RHSA-2023:3326 Comment: CVSS (Max): 9.8 CVE-2023-32314 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat Advanced Cluster Management 2.6.6 security fixes and container updates Advisory ID: RHSA-2023:3326-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2023:3326 Issue date: 2023-05-25 CVE Names: CVE-2021-26341 CVE-2021-33655 CVE-2021-33656 CVE-2022-1462 CVE-2022-1679 CVE-2022-1789 CVE-2022-2196 CVE-2022-2663 CVE-2022-3028 CVE-2022-3239 CVE-2022-3522 CVE-2022-3524 CVE-2022-3564 CVE-2022-3566 CVE-2022-3567 CVE-2022-3619 CVE-2022-3623 CVE-2022-3625 CVE-2022-3627 CVE-2022-3628 CVE-2022-3707 CVE-2022-3970 CVE-2022-4129 CVE-2022-20141 CVE-2022-25265 CVE-2022-30594 CVE-2022-35252 CVE-2022-36227 CVE-2022-39188 CVE-2022-39189 CVE-2022-41218 CVE-2022-41674 CVE-2022-42703 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-43552 CVE-2022-43750 CVE-2022-47929 CVE-2023-0361 CVE-2023-0394 CVE-2023-0461 CVE-2023-1195 CVE-2023-1582 CVE-2023-1999 CVE-2023-22490 CVE-2023-23454 CVE-2023-23946 CVE-2023-25652 CVE-2023-25815 CVE-2023-27535 CVE-2023-28856 CVE-2023-29007 CVE-2023-32313 CVE-2023-32314 ===================================================================== 1. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single consoleâ\x{128}\x{148}with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/ Security Fix(es): * CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command * CVE-2023-32314 vm2: Sandbox Escape * CVE-2023-32313 vm2: Inspect Manipulation 3. Solution: For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation for details on how to install the images: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/install/installing#installing-while-connected-online 4. Bugs fixed (https://bugzilla.redhat.com/): 2187525 - CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command 2208376 - CVE-2023-32314 vm2: Sandbox Escape 2208377 - CVE-2023-32313 vm2: Inspect Manipulation 5. References: https://access.redhat.com/security/cve/CVE-2021-26341 https://access.redhat.com/security/cve/CVE-2021-33655 https://access.redhat.com/security/cve/CVE-2021-33656 https://access.redhat.com/security/cve/CVE-2022-1462 https://access.redhat.com/security/cve/CVE-2022-1679 https://access.redhat.com/security/cve/CVE-2022-1789 https://access.redhat.com/security/cve/CVE-2022-2196 https://access.redhat.com/security/cve/CVE-2022-2663 https://access.redhat.com/security/cve/CVE-2022-3028 https://access.redhat.com/security/cve/CVE-2022-3239 https://access.redhat.com/security/cve/CVE-2022-3522 https://access.redhat.com/security/cve/CVE-2022-3524 https://access.redhat.com/security/cve/CVE-2022-3564 https://access.redhat.com/security/cve/CVE-2022-3566 https://access.redhat.com/security/cve/CVE-2022-3567 https://access.redhat.com/security/cve/CVE-2022-3619 https://access.redhat.com/security/cve/CVE-2022-3623 https://access.redhat.com/security/cve/CVE-2022-3625 https://access.redhat.com/security/cve/CVE-2022-3627 https://access.redhat.com/security/cve/CVE-2022-3628 https://access.redhat.com/security/cve/CVE-2022-3707 https://access.redhat.com/security/cve/CVE-2022-3970 https://access.redhat.com/security/cve/CVE-2022-4129 https://access.redhat.com/security/cve/CVE-2022-20141 https://access.redhat.com/security/cve/CVE-2022-25265 https://access.redhat.com/security/cve/CVE-2022-30594 https://access.redhat.com/security/cve/CVE-2022-35252 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-39188 https://access.redhat.com/security/cve/CVE-2022-39189 https://access.redhat.com/security/cve/CVE-2022-41218 https://access.redhat.com/security/cve/CVE-2022-41674 https://access.redhat.com/security/cve/CVE-2022-42703 https://access.redhat.com/security/cve/CVE-2022-42720 https://access.redhat.com/security/cve/CVE-2022-42721 https://access.redhat.com/security/cve/CVE-2022-42722 https://access.redhat.com/security/cve/CVE-2022-43552 https://access.redhat.com/security/cve/CVE-2022-43750 https://access.redhat.com/security/cve/CVE-2022-47929 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0394 https://access.redhat.com/security/cve/CVE-2023-0461 https://access.redhat.com/security/cve/CVE-2023-1195 https://access.redhat.com/security/cve/CVE-2023-1582 https://access.redhat.com/security/cve/CVE-2023-1999 https://access.redhat.com/security/cve/CVE-2023-22490 https://access.redhat.com/security/cve/CVE-2023-23454 https://access.redhat.com/security/cve/CVE-2023-23946 https://access.redhat.com/security/cve/CVE-2023-25652 https://access.redhat.com/security/cve/CVE-2023-25815 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-28856 https://access.redhat.com/security/cve/CVE-2023-29007 https://access.redhat.com/security/cve/CVE-2023-32313 https://access.redhat.com/security/cve/CVE-2023-32314 https://access.redhat.com/security/updates/classification/#critical 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZHBqdtzjgjWX9erEAQgPBBAAnba1fjcWKh24XoIxjEsRwYwq2JN7qmIU MANW+FQiQX2SxrlS729OKswdcDQbMeGr2S9bnmZutqTTihgS/0DnCEUV4leX2fec iX3+umTRrS4S2n1bs6jhMTygTHNFMEm0hRlaif0T35YnLtFDUO82QQVMAuifh0kn 5Z8n3oHiu5KX8oHQueP2zk9jC1DP2LWcxPZq3X90kYPTYn1bv12N8EcmaiIsQI2L I5vXMPLf/SSl22Fzgs/qvFrdpRzwuWl4OATWjdICIZZg4hVrxG/k4pekuPX1QsTE 7sFOBsDp6i9RW/ZgUG30BI7RI5TZv1x087SI9j5M4PL06ePnYzBeWOPmkD5XeclV ScJvCcVQpI4gef0QrsRcfaMaVdYgJa4S6rn0RJddaXY1FsyhDU/61LjEpI/Mu5LC GKchpJC+lUGhGWy7r5Nn563VuUwdjKqjvtBdU4UwB/K6GoLF4QYMWOcBlZUBxNfD JLVIVj5FgQYNMcV/0KFsL51rlbeTCntp4xH5QbPxt+932E0FlSej5Y1dqTBNX78a w0hkqQoBDqjfYK80yvyeRI5X3ZQ4SHJe61ozHVSLa+VhGz5WDrPaHNsFkPM01EsV pUhn2d27SA+SRwPE93GG6smk1dHgx6grZCISvRbtqzItoXcDdEb5L94GZx0pIFiF nh/78SLF0ZU= =P0X2 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZHQSB8kNZI30y1K9AQiYgA/+N3vQjVhpFFmho120b3WM9f53DhD4V+oO ftCLGbX3JKwx9dzwtS2kKoYUP41zJ5u6vDVTIFHldJk+9guPXYN9F2veagACoZ2+ oq7ixITJfIZ849Xfn/tZ+TUQ/RJDSxx3RD/5vq/h19pWxnP2/sSYOHH6hrErc37d bpn3r2zKxGaNp8vepVoO/0qc0v6MqhJ3zgmzdNcCFXnYl4UgqF55oWiXDFxlB4gQ l4xNTns7WHHqDwciijCDuns8hkff1pSWe4UPziNmhRvAIzRmlsioyExqjmcEIV1Z NEZO491z/81wuI0lIoR0xGa3btU63G6GTOsu3XdVaqLNLupAbF9bagjsSeKRv20+ VXLQ9OirY3jlYTZB1do6BlmmVN/CxP+r7tMVkAxrKcrXCnsfltypCG4qJi1RiZOb VsJUYcOkmAoofLMsubv5rmcy5EYAIq6jiIIx5raux+dovdIJ4KZmmw9Z8oz0xO0V OWEBexYaIpJ1pwixFEZvGg+MbAh3vXOdGpjA3cBNArPH+sdeshD1QoVukrwrgb3G qhZbDS5V8jI9Vlk10r1zSm369GzjpprsZabiilJ/LFPeNEVUXXfayg5obPQnZqU7 7C0HxhNk4iiiLGeDrziUWJxoBQIUYa/RIWlYlaZJIuYXlhfvvudGvs1JU5/mVKOO v/rp+RJ3a0M= =5U4d -----END PGP SIGNATURE-----