Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1406 Red Hat Advanced Cluster Management 2.1.6 security and bug fix updates 27 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Advanced Cluster Management 2.1.6 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Overwrite Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-27365 CVE-2021-27364 CVE-2021-27363 CVE-2021-26708 CVE-2021-20305 CVE-2021-20218 CVE-2021-3450 CVE-2021-3449 CVE-2021-3347 CVE-2021-3121 CVE-2020-35149 CVE-2020-28374 CVE-2020-27152 CVE-2020-14040 CVE-2020-0466 Reference: ESB-2021.1378 ESB-2021.1340 ESB-2021.1299 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:1369 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Advanced Cluster Management 2.1.6 security and bug fix updates Advisory ID: RHSA-2021:1369-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2021:1369 Issue date: 2021-04-26 Keywords: management cluster kubernetes CVE Names: CVE-2020-0466 CVE-2020-14040 CVE-2020-27152 CVE-2020-28374 CVE-2020-35149 CVE-2021-3121 CVE-2021-3347 CVE-2021-3449 CVE-2021-3450 CVE-2021-20218 CVE-2021-20305 CVE-2021-26708 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 ===================================================================== 1. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.1.6 General Availability release images, which fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Advanced Cluster Management for Kubernetes 2.1.6 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single consoleâ\x{128}\x{148}with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs and security issues. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.1/html/release_notes/ Security fixes: * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) * mquery: Code injection via merge or clone operation (CVE-2020-35149) For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug fixes: * RHACM 2.1.6 images (BZ#1940581) * When generating the import cluster string, it can include unescaped characters (BZ#1934184) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.1/html/install/installing#upgrading-by-using-the-op erator 4. Bugs fixed (https://bugzilla.redhat.com/): 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1929338 - CVE-2020-35149 mquery: Code injection via merge or clone operation 1934184 - When generating the import cluster string, it can include unescaped characters 1940581 - RHACM 2.1.6 images 5. References: https://access.redhat.com/security/cve/CVE-2020-0466 https://access.redhat.com/security/cve/CVE-2020-14040 https://access.redhat.com/security/cve/CVE-2020-27152 https://access.redhat.com/security/cve/CVE-2020-28374 https://access.redhat.com/security/cve/CVE-2020-35149 https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-3347 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-20218 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/cve/CVE-2021-26708 https://access.redhat.com/security/cve/CVE-2021-27363 https://access.redhat.com/security/cve/CVE-2021-27364 https://access.redhat.com/security/cve/CVE-2021-27365 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIbqItzjgjWX9erEAQis9w/+LgaC7JXG+4D1nBOaTdQkTShpKXBDBZPB 3pC7vT7V3s86VQmkDXAl6kwJhXlBuNCPRpudEFKKNbUtaEmjGWx8QXUhJethuZ9P Nf+diMzrzVBOmE1tVPxbzXtF9C9uzFpsThC9BQk/9rsWJ/3nuTzUx6w5/VnxFejR LqJDls2GEW5ztviy/etE46QfeOHjJTsPRQEoNsSVMae4rJrYrX0AjjLwG7NEX3bD m6k6zKFe8BIhDNvI5Tpe3dvN6h2v2JCAF+V3im8jPJ3SJ2hzw373/ybZF8t6zFEF yIqsWZumG1n6J9SS8k5NMcvAe+G+YJT86rccjbcaAYLWIHbYTFGkNUeqSPY89vxO XSZP6lgfS1DNhxF1tZCFYph1/Jc6YbPqrGgHZeuDFK7+g6+gBFPNsSW9nuSYi7sH 3eTYU9G1/Dq6325dyvTxZnxeZkJhp8reezzgsuu8QvkWoglCVUMK4i6yOyEIS04I ibQRTvMVP9R3x/WWn6TruQTUJgAf0PT3sG11L26HY2SwF4hcgy38uJoaLmaKaXKq LtQ4DP1xYLKh3n4NqhJSSEg3Yct4ObyCJedhvux3eFlMXUf/9VIMGxVLrT1pI5cg Y6irYxFgZMMmb45PiSkaN/lO0RNy05+j+cM3uVwgXNBSDNDP2mLrBNl7VywQJ4cw hc5e51AhvfQ= =l0FC - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIdrK+NLKJtyKPYoAQi60g//dxDyYMD/AyruOs5cPQUXtke/+3q9oWMR QRXRlwBZuosaXGbrk7slYCSpZoWYkdT63aeiE13Z1+qMwv4JB70smj0b7kMAfkyv ex8xXnia5std26r/61SOaSm69iy4aBElSim17ipqIpmXM9pi1cpIAmX1boYdCgH4 B7AK86L3Ad5SJmzHQd/bpNancg3eGf5V4D7jovB7G4NCMR3G7M4g9F8JXy9sFXOh POvKg67a67o8xoTp31bBLWeskJQrbA1o5O5Sv8f6JxFI3xLiOtKPIhOxckpPSvnH sxn8ltKTdjPfRYDk9YfnBKo799yAAPn/KPfVmpLuG9MuSTCz6Dn+Lkmx33Jb0xsP TkPho59vNwNa9QNvvlVzOe3b+U+7Cuyw6O/W2AW7B3bc6HhlCL0JTTmjz0QeFG3O yRNzXz3W5QMDofHT60k0P9jt4+w2NA5Ejq5Ew+1qzN3z/pf5UhHZvwMpKUqo0hAv ab5aP9stgNmovRSDItUey1rbjizjx061FU2pWehdmo1GM6BcUnk2ogsXCkXaErbN s58+cPsIzK7PUOSn8/seZ1dZFUoPcgj/W6D6RWFYE1i6tUIX5jP5tpqONRUxJbMH i0zktT5uSz5JlaoNzoatBUpufpIXnofbFE3FF/robZmwYYzdNY5XUjlP8LoIqufT bUjM5QlfDjU= =JRNh -----END PGP SIGNATURE-----