Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1406
Red Hat Advanced Cluster Management 2.1.6 security and bug fix updates
27 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Advanced Cluster Management 2.1.6
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Overwrite Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-27365 CVE-2021-27364 CVE-2021-27363
CVE-2021-26708 CVE-2021-20305 CVE-2021-20218
CVE-2021-3450 CVE-2021-3449 CVE-2021-3347
CVE-2021-3121 CVE-2020-35149 CVE-2020-28374
CVE-2020-27152 CVE-2020-14040 CVE-2020-0466
Reference: ESB-2021.1378
ESB-2021.1340
ESB-2021.1299
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:1369
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Advanced Cluster Management 2.1.6 security and bug fix updates
Advisory ID: RHSA-2021:1369-01
Product: Red Hat ACM
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1369
Issue date: 2021-04-26
Keywords: management cluster kubernetes
CVE Names: CVE-2020-0466 CVE-2020-14040 CVE-2020-27152
CVE-2020-28374 CVE-2020-35149 CVE-2021-3121
CVE-2021-3347 CVE-2021-3449 CVE-2021-3450
CVE-2021-20218 CVE-2021-20305 CVE-2021-26708
CVE-2021-27363 CVE-2021-27364 CVE-2021-27365
=====================================================================
1. Summary:
Red Hat Advanced Cluster Management for Kubernetes 2.1.6 General
Availability release images, which fix several bugs and security issues.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat Advanced Cluster Management for Kubernetes 2.1.6 images
Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single consoleâ\x{128}\x{148}with security policy built in.
This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs and security issues. See
the following Release Notes documentation, which will be updated shortly
for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana
gement_for_kubernetes/2.1/html/release_notes/
Security fixes:
* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)
* mquery: Code injection via merge or clone operation (CVE-2020-35149)
For more details about the security issue, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug fixes:
* RHACM 2.1.6 images (BZ#1940581)
* When generating the import cluster string, it can include unescaped
characters (BZ#1934184)
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana
gement_for_kubernetes/2.1/html/install/installing#upgrading-by-using-the-op
erator
4. Bugs fixed (https://bugzilla.redhat.com/):
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1929338 - CVE-2020-35149 mquery: Code injection via merge or clone operation
1934184 - When generating the import cluster string, it can include unescaped characters
1940581 - RHACM 2.1.6 images
5. References:
https://access.redhat.com/security/cve/CVE-2020-0466
https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/cve/CVE-2020-27152
https://access.redhat.com/security/cve/CVE-2020-28374
https://access.redhat.com/security/cve/CVE-2020-35149
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3347
https://access.redhat.com/security/cve/CVE-2021-3449
https://access.redhat.com/security/cve/CVE-2021-3450
https://access.redhat.com/security/cve/CVE-2021-20218
https://access.redhat.com/security/cve/CVE-2021-20305
https://access.redhat.com/security/cve/CVE-2021-26708
https://access.redhat.com/security/cve/CVE-2021-27363
https://access.redhat.com/security/cve/CVE-2021-27364
https://access.redhat.com/security/cve/CVE-2021-27365
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIbqItzjgjWX9erEAQis9w/+LgaC7JXG+4D1nBOaTdQkTShpKXBDBZPB
3pC7vT7V3s86VQmkDXAl6kwJhXlBuNCPRpudEFKKNbUtaEmjGWx8QXUhJethuZ9P
Nf+diMzrzVBOmE1tVPxbzXtF9C9uzFpsThC9BQk/9rsWJ/3nuTzUx6w5/VnxFejR
LqJDls2GEW5ztviy/etE46QfeOHjJTsPRQEoNsSVMae4rJrYrX0AjjLwG7NEX3bD
m6k6zKFe8BIhDNvI5Tpe3dvN6h2v2JCAF+V3im8jPJ3SJ2hzw373/ybZF8t6zFEF
yIqsWZumG1n6J9SS8k5NMcvAe+G+YJT86rccjbcaAYLWIHbYTFGkNUeqSPY89vxO
XSZP6lgfS1DNhxF1tZCFYph1/Jc6YbPqrGgHZeuDFK7+g6+gBFPNsSW9nuSYi7sH
3eTYU9G1/Dq6325dyvTxZnxeZkJhp8reezzgsuu8QvkWoglCVUMK4i6yOyEIS04I
ibQRTvMVP9R3x/WWn6TruQTUJgAf0PT3sG11L26HY2SwF4hcgy38uJoaLmaKaXKq
LtQ4DP1xYLKh3n4NqhJSSEg3Yct4ObyCJedhvux3eFlMXUf/9VIMGxVLrT1pI5cg
Y6irYxFgZMMmb45PiSkaN/lO0RNy05+j+cM3uVwgXNBSDNDP2mLrBNl7VywQJ4cw
hc5e51AhvfQ=
=l0FC
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIdrK+NLKJtyKPYoAQi60g//dxDyYMD/AyruOs5cPQUXtke/+3q9oWMR
QRXRlwBZuosaXGbrk7slYCSpZoWYkdT63aeiE13Z1+qMwv4JB70smj0b7kMAfkyv
ex8xXnia5std26r/61SOaSm69iy4aBElSim17ipqIpmXM9pi1cpIAmX1boYdCgH4
B7AK86L3Ad5SJmzHQd/bpNancg3eGf5V4D7jovB7G4NCMR3G7M4g9F8JXy9sFXOh
POvKg67a67o8xoTp31bBLWeskJQrbA1o5O5Sv8f6JxFI3xLiOtKPIhOxckpPSvnH
sxn8ltKTdjPfRYDk9YfnBKo799yAAPn/KPfVmpLuG9MuSTCz6Dn+Lkmx33Jb0xsP
TkPho59vNwNa9QNvvlVzOe3b+U+7Cuyw6O/W2AW7B3bc6HhlCL0JTTmjz0QeFG3O
yRNzXz3W5QMDofHT60k0P9jt4+w2NA5Ejq5Ew+1qzN3z/pf5UhHZvwMpKUqo0hAv
ab5aP9stgNmovRSDItUey1rbjizjx061FU2pWehdmo1GM6BcUnk2ogsXCkXaErbN
s58+cPsIzK7PUOSn8/seZ1dZFUoPcgj/W6D6RWFYE1i6tUIX5jP5tpqONRUxJbMH
i0zktT5uSz5JlaoNzoatBUpufpIXnofbFE3FF/robZmwYYzdNY5XUjlP8LoIqufT
bUjM5QlfDjU=
=JRNh
-----END PGP SIGNATURE-----