Operating System:

[RedHat]

Published:

23 October 2020

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2020.3651 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3651
  Red Hat Advanced Cluster Management for Kubernetes version 2.0.4 images
                              23 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Advanced Cluster Management for Kubernetes
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25655  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4304

- --------------------------BEGIN INCLUDED TEXT--------------------

Red Hat Product Errata RHSA-2020:4304 - Security Advisory

Issued:
    2020-10-22
Updated:
    2020-10-22

RHSA-2020:4304 - Security Advisory

  * Overview
  * Updated Packages

Synopsis

Moderate: Red Hat Advanced Cluster Management for Kubernetes version 2.0.4
images

Type/Severity

Security Advisory: Moderate

Topic

Red Hat Advanced Cluster Management for Kubernetes 2.0.4 General Availability
release.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

RHACM 2.0.4 images

Red Hat Advanced Cluster Management provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console?with security policy built in.

See the following Release Notes documentation for details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana
gement_for_kubernetes/2.0/html/release_notes/

Security Fix(es):

  * open-cluster-management: RBAC bypass may disclose cluster secrets to other
    users (CVE-2020-25655)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  * Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8 x86_64
  * Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 7 x86_64

Fixes

  * BZ - 1882496 - RHACM 2.0.4 images
  * BZ - 1882748 - search-operator Pod OOMKilled After Upgrading OpenShift
  * BZ - 1884295 - Trying to install ACM and multi cluster hub is not deploying
  * BZ - 1888475 - CVE-2020-25655 open-cluster-management: RBAC bypass may
    disclose cluster secrets to other users

CVEs

  * CVE-2020-25655

References

  * https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package
name for more details.

Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8

 SRPM
x86_64

Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 7

 SRPM
x86_64

The Red Hat security contact is secalert@redhat.com. More contact details at
https://access.redhat.com/security/team/contact/.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX5IteeNLKJtyKPYoAQjE7A//dAKxNku/FkQQtF/mIOCloMTSwtRLrgHW
U12S0pPFja+piuYfwX/fm0zpv6Do4YdzVTNxLhxQaSXFKn+h8czteD8QtBdB759R
EQaEIIQS0fP1mVB2uJpIPKRNU1lqxvdMWu4E6wDXfqgLw9Zmn6mQaJTRbXqj7HRG
9EsWPvl6XFHn1AvmCwhXtGkY4uX9iTACYON+LL3CSvowkTM90zvH/QQ4DqRZQPQf
9oCvk/qeDjkeqgLblqQosthlyl2ItSsDRjrpln+2D00DXca9VXBgvArtYIriGTn6
FnShAlS48PHSzFoTG3va4wIdi+6wqi33TzTlvu1Yciol+TumcQ0ItYojwg8MbqLJ
m9sbdNK6by2k+wNPZaZycm0QBjDAEBgHpMB17BFneHNRhQKnJ5spizayChBg4dD1
BbN5iUboUoyJZOt6YhXfiC5YhW7ARYyD8yEP5s797rxBE1VRiwsVl6Spks281guy
EIfgO+UVpf71WXHbs6eleCduwK0MHqJQCyalABtgAlZW3fEUayvAI2utUkpTrKpI
y6ZQDMbq0k1/xqZcCgavhOy5xZ9PHh3PDZTV+db/H9fGgAu5wIsMLJwOQxeR2ZXq
J5gstljPYU79JqOFE1ZKHcBpuYCUf88Cj1kcVBBE9g1vZiHGRLWJdVlMbKwuXvjE
Xf/gicFujJA=
=9czs
-----END PGP SIGNATURE-----