Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3060
Red Hat Advanced Cluster Management 2.6.6 security fixes and container
29 May 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Advanced Cluster Management
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-32314 CVE-2023-32313 CVE-2023-29007
CVE-2023-28856 CVE-2023-27535 CVE-2023-25815
CVE-2023-25652 CVE-2023-23946 CVE-2023-23454
CVE-2023-22490 CVE-2023-1999 CVE-2023-1582
CVE-2023-1195 CVE-2023-0461 CVE-2023-0394
CVE-2023-0361 CVE-2022-47929 CVE-2022-43750
CVE-2022-43552 CVE-2022-42722 CVE-2022-42721
CVE-2022-42720 CVE-2022-42703 CVE-2022-41674
CVE-2022-41218 CVE-2022-39189 CVE-2022-39188
CVE-2022-36227 CVE-2022-35252 CVE-2022-30594
CVE-2022-25265 CVE-2022-20141 CVE-2022-4129
CVE-2022-3970 CVE-2022-3707 CVE-2022-3628
CVE-2022-3627 CVE-2022-3625 CVE-2022-3623
CVE-2022-3619 CVE-2022-3567 CVE-2022-3566
CVE-2022-3564 CVE-2022-3524 CVE-2022-3522
CVE-2022-3239 CVE-2022-3028 CVE-2022-2663
CVE-2022-2196 CVE-2022-1789 CVE-2022-1679
CVE-2022-1462 CVE-2021-33656 CVE-2021-33655
CVE-2021-26341
Original Bulletin:
https://access.redhat.com/errata/RHSA-2023:3326
Comment: CVSS (Max): 9.8 CVE-2023-32314 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: Red Hat Advanced Cluster Management 2.6.6 security fixes and container updates
Advisory ID: RHSA-2023:3326-01
Product: Red Hat ACM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3326
Issue date: 2023-05-25
CVE Names: CVE-2021-26341 CVE-2021-33655 CVE-2021-33656
CVE-2022-1462 CVE-2022-1679 CVE-2022-1789
CVE-2022-2196 CVE-2022-2663 CVE-2022-3028
CVE-2022-3239 CVE-2022-3522 CVE-2022-3524
CVE-2022-3564 CVE-2022-3566 CVE-2022-3567
CVE-2022-3619 CVE-2022-3623 CVE-2022-3625
CVE-2022-3627 CVE-2022-3628 CVE-2022-3707
CVE-2022-3970 CVE-2022-4129 CVE-2022-20141
CVE-2022-25265 CVE-2022-30594 CVE-2022-35252
CVE-2022-36227 CVE-2022-39188 CVE-2022-39189
CVE-2022-41218 CVE-2022-41674 CVE-2022-42703
CVE-2022-42720 CVE-2022-42721 CVE-2022-42722
CVE-2022-43552 CVE-2022-43750 CVE-2022-47929
CVE-2023-0361 CVE-2023-0394 CVE-2023-0461
CVE-2023-1195 CVE-2023-1582 CVE-2023-1999
CVE-2023-22490 CVE-2023-23454 CVE-2023-23946
CVE-2023-25652 CVE-2023-25815 CVE-2023-27535
CVE-2023-28856 CVE-2023-29007 CVE-2023-32313
CVE-2023-32314
=====================================================================
1. Summary:
Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General
Availability release images, which fix security issues and update container
images.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
2. Description:
Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images
Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single consoleâ\x{128}\x{148}with security policy built in.
This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/
Security Fix(es):
* CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command
* CVE-2023-32314 vm2: Sandbox Escape
* CVE-2023-32313 vm2: Inspect Manipulation
3. Solution:
For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation for details on how to install the images:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/install/installing#installing-while-connected-online
4. Bugs fixed (https://bugzilla.redhat.com/):
2187525 - CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command
2208376 - CVE-2023-32314 vm2: Sandbox Escape
2208377 - CVE-2023-32313 vm2: Inspect Manipulation
5. References:
https://access.redhat.com/security/cve/CVE-2021-26341
https://access.redhat.com/security/cve/CVE-2021-33655
https://access.redhat.com/security/cve/CVE-2021-33656
https://access.redhat.com/security/cve/CVE-2022-1462
https://access.redhat.com/security/cve/CVE-2022-1679
https://access.redhat.com/security/cve/CVE-2022-1789
https://access.redhat.com/security/cve/CVE-2022-2196
https://access.redhat.com/security/cve/CVE-2022-2663
https://access.redhat.com/security/cve/CVE-2022-3028
https://access.redhat.com/security/cve/CVE-2022-3239
https://access.redhat.com/security/cve/CVE-2022-3522
https://access.redhat.com/security/cve/CVE-2022-3524
https://access.redhat.com/security/cve/CVE-2022-3564
https://access.redhat.com/security/cve/CVE-2022-3566
https://access.redhat.com/security/cve/CVE-2022-3567
https://access.redhat.com/security/cve/CVE-2022-3619
https://access.redhat.com/security/cve/CVE-2022-3623
https://access.redhat.com/security/cve/CVE-2022-3625
https://access.redhat.com/security/cve/CVE-2022-3627
https://access.redhat.com/security/cve/CVE-2022-3628
https://access.redhat.com/security/cve/CVE-2022-3707
https://access.redhat.com/security/cve/CVE-2022-3970
https://access.redhat.com/security/cve/CVE-2022-4129
https://access.redhat.com/security/cve/CVE-2022-20141
https://access.redhat.com/security/cve/CVE-2022-25265
https://access.redhat.com/security/cve/CVE-2022-30594
https://access.redhat.com/security/cve/CVE-2022-35252
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-39188
https://access.redhat.com/security/cve/CVE-2022-39189
https://access.redhat.com/security/cve/CVE-2022-41218
https://access.redhat.com/security/cve/CVE-2022-41674
https://access.redhat.com/security/cve/CVE-2022-42703
https://access.redhat.com/security/cve/CVE-2022-42720
https://access.redhat.com/security/cve/CVE-2022-42721
https://access.redhat.com/security/cve/CVE-2022-42722
https://access.redhat.com/security/cve/CVE-2022-43552
https://access.redhat.com/security/cve/CVE-2022-43750
https://access.redhat.com/security/cve/CVE-2022-47929
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0394
https://access.redhat.com/security/cve/CVE-2023-0461
https://access.redhat.com/security/cve/CVE-2023-1195
https://access.redhat.com/security/cve/CVE-2023-1582
https://access.redhat.com/security/cve/CVE-2023-1999
https://access.redhat.com/security/cve/CVE-2023-22490
https://access.redhat.com/security/cve/CVE-2023-23454
https://access.redhat.com/security/cve/CVE-2023-23946
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-28856
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/cve/CVE-2023-32313
https://access.redhat.com/security/cve/CVE-2023-32314
https://access.redhat.com/security/updates/classification/#critical
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZHBqdtzjgjWX9erEAQgPBBAAnba1fjcWKh24XoIxjEsRwYwq2JN7qmIU
MANW+FQiQX2SxrlS729OKswdcDQbMeGr2S9bnmZutqTTihgS/0DnCEUV4leX2fec
iX3+umTRrS4S2n1bs6jhMTygTHNFMEm0hRlaif0T35YnLtFDUO82QQVMAuifh0kn
5Z8n3oHiu5KX8oHQueP2zk9jC1DP2LWcxPZq3X90kYPTYn1bv12N8EcmaiIsQI2L
I5vXMPLf/SSl22Fzgs/qvFrdpRzwuWl4OATWjdICIZZg4hVrxG/k4pekuPX1QsTE
7sFOBsDp6i9RW/ZgUG30BI7RI5TZv1x087SI9j5M4PL06ePnYzBeWOPmkD5XeclV
ScJvCcVQpI4gef0QrsRcfaMaVdYgJa4S6rn0RJddaXY1FsyhDU/61LjEpI/Mu5LC
GKchpJC+lUGhGWy7r5Nn563VuUwdjKqjvtBdU4UwB/K6GoLF4QYMWOcBlZUBxNfD
JLVIVj5FgQYNMcV/0KFsL51rlbeTCntp4xH5QbPxt+932E0FlSej5Y1dqTBNX78a
w0hkqQoBDqjfYK80yvyeRI5X3ZQ4SHJe61ozHVSLa+VhGz5WDrPaHNsFkPM01EsV
pUhn2d27SA+SRwPE93GG6smk1dHgx6grZCISvRbtqzItoXcDdEb5L94GZx0pIFiF
nh/78SLF0ZU=
=P0X2
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZHQSB8kNZI30y1K9AQiYgA/+N3vQjVhpFFmho120b3WM9f53DhD4V+oO
ftCLGbX3JKwx9dzwtS2kKoYUP41zJ5u6vDVTIFHldJk+9guPXYN9F2veagACoZ2+
oq7ixITJfIZ849Xfn/tZ+TUQ/RJDSxx3RD/5vq/h19pWxnP2/sSYOHH6hrErc37d
bpn3r2zKxGaNp8vepVoO/0qc0v6MqhJ3zgmzdNcCFXnYl4UgqF55oWiXDFxlB4gQ
l4xNTns7WHHqDwciijCDuns8hkff1pSWe4UPziNmhRvAIzRmlsioyExqjmcEIV1Z
NEZO491z/81wuI0lIoR0xGa3btU63G6GTOsu3XdVaqLNLupAbF9bagjsSeKRv20+
VXLQ9OirY3jlYTZB1do6BlmmVN/CxP+r7tMVkAxrKcrXCnsfltypCG4qJi1RiZOb
VsJUYcOkmAoofLMsubv5rmcy5EYAIq6jiIIx5raux+dovdIJ4KZmmw9Z8oz0xO0V
OWEBexYaIpJ1pwixFEZvGg+MbAh3vXOdGpjA3cBNArPH+sdeshD1QoVukrwrgb3G
qhZbDS5V8jI9Vlk10r1zSm369GzjpprsZabiilJ/LFPeNEVUXXfayg5obPQnZqU7
7C0HxhNk4iiiLGeDrziUWJxoBQIUYa/RIWlYlaZJIuYXlhfvvudGvs1JU5/mVKOO
v/rp+RJ3a0M=
=5U4d
-----END PGP SIGNATURE-----