Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3878 Red Hat Advanced Cluster Management 2.4 images and security updates 12 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Advanced Cluster Management Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Overwrite Arbitrary Files -- Remote with User Interaction Create Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-41099 CVE-2021-37750 CVE-2021-36222 CVE-2021-33938 CVE-2021-33930 CVE-2021-33929 CVE-2021-33928 CVE-2021-33623 CVE-2021-32804 CVE-2021-32803 CVE-2021-32690 CVE-2021-32687 CVE-2021-32675 CVE-2021-32672 CVE-2021-32628 CVE-2021-32627 CVE-2021-32626 CVE-2021-23017 CVE-2021-22947 CVE-2021-22946 CVE-2021-22924 CVE-2021-22923 CVE-2021-22922 CVE-2021-3749 CVE-2021-3733 CVE-2021-3712 CVE-2021-3711 CVE-2021-3656 CVE-2021-0512 CVE-2020-36385 Reference: ESB-2021.3704 ESB-2021.3661 ESB-2021.3649 ESB-2021.3499 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4618 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Advanced Cluster Management 2.4 images and security updates Advisory ID: RHSA-2021:4618-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2021:4618 Issue date: 2021-11-10 CVE Names: CVE-2020-36385 CVE-2021-0512 CVE-2021-3656 CVE-2021-3711 CVE-2021-3712 CVE-2021-3733 CVE-2021-3749 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22946 CVE-2021-22947 CVE-2021-23017 CVE-2021-32626 CVE-2021-32627 CVE-2021-32628 CVE-2021-32672 CVE-2021-32675 CVE-2021-32687 CVE-2021-32690 CVE-2021-32803 CVE-2021-32804 CVE-2021-33623 CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938 CVE-2021-36222 CVE-2021-37750 CVE-2021-41099 ===================================================================== 1. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.4.0 General Availability release images, which fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Advanced Cluster Management for Kubernetes 2.4.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs and security issues. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.4/html/release_notes/ Security fixes: * CVE-2021-33623: nodejs-trim-newlines: ReDoS in .end() method * CVE-2021-32626: redis: Lua scripts can overflow the heap-based Lua stack * CVE-2021-32627: redis: Integer overflow issue with Streams * CVE-2021-32628: redis: Integer overflow bug in the ziplist data structure * CVE-2021-32672: redis: Out of bounds read in lua debugger protocol parser * CVE-2021-32675: redis: Denial of service via Redis Standard Protocol (RESP) request * CVE-2021-32687: redis: Integer overflow issue with intsets * CVE-2021-32690: helm: information disclosure vulnerability * CVE-2021-32803: nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite * CVE-2021-32804: nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite * CVE-2021-23017: nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name * CVE-2021-3711: openssl: SM2 Decryption Buffer Overflow * CVE-2021-3712: openssl: Read buffer overruns processing ASN.1 strings * CVE-2021-3749: nodejs-axios: Regular expression denial of service in trim function * CVE-2021-41099: redis: Integer overflow issue with strings Bug fixes: * RFE ACM Application management UI doesn't reflect object status (Bugzilla #1965321) * RHACM 2.4 files (Bugzilla #1983663) * Hive Operator CrashLoopBackOff when deploying ACM with latest downstream 2.4 (Bugzilla #1993366) * submariner-addon pod failing in RHACM 2.4 latest ds snapshot (Bugzilla #1994668) * ACM 2.4 install on OCP 4.9 ipv6 disconnected hub fails due to multicluster pod in clb (Bugzilla #2000274) * pre-network-manager-config failed due to timeout when static config is used (Bugzilla #2003915) * InfraEnv condition does not reflect the actual error message (Bugzilla #2009204, 2010030) * Flaky test point to a nil pointer conditions list (Bugzilla #2010175) * InfraEnv status shows 'Failed to create image: internal error (Bugzilla #2010272) * subctl diagnose firewall intra-cluster - failed VXLAN checks (Bugzilla #2013157) * pre-network-manager-config failed due to timeout when static config is used (Bugzilla #2014084) 3. Solution: For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.4/html/release_notes/index For details on how to apply this update, refer to: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.4/html-single/install/index#installing 4. Bugs fixed (https://bugzilla.redhat.com/): 1963121 - CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name 1965321 - RFE ACM Application management UI doesn't reflect object status 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method 1978144 - CVE-2021-32690 helm: information disclosure vulnerability 1983663 - RHACM 2.4.0 images 1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite 1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite 1993366 - Hive Operator CrashLoopBackOff when deploying ACM with latest downstream 2.4 1994668 - submariner-addon pod failing in RHACM 2.4 latest ds snapshot 1995623 - CVE-2021-3711 openssl: SM2 Decryption Buffer Overflow 1995634 - CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function 2000274 - ACM 2.4 install on OCP 4.9 ipv6 disconnected hub fails due to multicluster pod in clb 2003915 - pre-network-manager-config failed due to timeout when static config is used 2009204 - InfraEnv condition does not reflect the actual error message 2010030 - InfraEnv condition does not reflect the actual error message 2010175 - Flaky test point to a nil pointer conditions list 2010272 - InfraEnv status shows 'Failed to create image: internal error 2010991 - CVE-2021-32687 redis: Integer overflow issue with intsets 2011000 - CVE-2021-32675 redis: Denial of service via Redis Standard Protocol (RESP) request 2011001 - CVE-2021-32672 redis: Out of bounds read in lua debugger protocol parser 2011004 - CVE-2021-32628 redis: Integer overflow bug in the ziplist data structure 2011010 - CVE-2021-32627 redis: Integer overflow issue with Streams 2011017 - CVE-2021-32626 redis: Lua scripts can overflow the heap-based Lua stack 2011020 - CVE-2021-41099 redis: Integer overflow issue with strings 2013157 - subctl diagnose firewall intra-cluster - failed VXLAN checks 2014084 - pre-network-manager-config failed due to timeout when static config is used 5. References: https://access.redhat.com/security/cve/CVE-2020-36385 https://access.redhat.com/security/cve/CVE-2021-0512 https://access.redhat.com/security/cve/CVE-2021-3656 https://access.redhat.com/security/cve/CVE-2021-3711 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-3733 https://access.redhat.com/security/cve/CVE-2021-3749 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-22946 https://access.redhat.com/security/cve/CVE-2021-22947 https://access.redhat.com/security/cve/CVE-2021-23017 https://access.redhat.com/security/cve/CVE-2021-32626 https://access.redhat.com/security/cve/CVE-2021-32627 https://access.redhat.com/security/cve/CVE-2021-32628 https://access.redhat.com/security/cve/CVE-2021-32672 https://access.redhat.com/security/cve/CVE-2021-32675 https://access.redhat.com/security/cve/CVE-2021-32687 https://access.redhat.com/security/cve/CVE-2021-32690 https://access.redhat.com/security/cve/CVE-2021-32803 https://access.redhat.com/security/cve/CVE-2021-32804 https://access.redhat.com/security/cve/CVE-2021-33623 https://access.redhat.com/security/cve/CVE-2021-33928 https://access.redhat.com/security/cve/CVE-2021-33929 https://access.redhat.com/security/cve/CVE-2021-33930 https://access.redhat.com/security/cve/CVE-2021-33938 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/cve/CVE-2021-41099 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYY2HxdzjgjWX9erEAQjmTw//flFjbp6/kmF6kilLPBk3SeVbcSh72fTU tHHJxgYAKGKYZvFdaGjwGkkLepLpaiuu0had3W31Syv++PZYpzIPT9fLojhQJMjR Gp48h3VcfXwttmNnNgk5mtxT7fkiH+vy/ohCUXBlQK3Zlad1Md57ribuwY7IzqEH BjPE/lN7Uj9yYaYNdoIGij2V2pXIBFOeosJw5YXU5u2/6E/5QVRWelwWNk66tmJT KX2lIabBWzsi0JSi5g1gShpPWhBPGtzoa27VRKT3UnH0AOljJSwDvooG1xK/0n/8 K/6Y3MvH8AUWWicBU1EoxAeCbjUXfLR5iXSB+h2sjFAPAZQRZj0FUoDIhgPCUth5 79oYu8nce+ksttigrVDanWkmw3IyxCuZlqPujNQtIOe3hBUmfo7loqtVx7vJdwoA +WczIDSD2QDPaHl7f6sOe/z+5GVbjHA7ZTs9cKrk91PDhV7LufuMcwJTsuDBfsaP baYIrNLwsX1640hKld/e1grrYfQ8Di1ES0k/9vOLPHjUaQKe3fQHLM8NoS6M5J58 roHZSK6vqRoCKpmhRwmDSB2soGt2DNK8ZcR5PRqapxU2TIf3GYoP0TtnVNazK8Ce 8a8cpldbsJH21oU9CPXME3pYzWm6pO51UbCrKr4KTb1C63VL/xw7xaq8dcgJb7rw QHSycwTu9JY= =s0PV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYY3vWuNLKJtyKPYoAQislA//T+lHlygj0ft0mZUoYhW+6W24Kn29/Jwt TMmbJX38Vr9cu1vtWJmYR3WSyog45/5w2aSor6b9j9LWzX5eZsBmsJRUJG1zaXte iTOEoB4ytz95qukwDDJjqw/CFmIOkJgxhhBHGfOjIcEcr5Wk1WFI/7EMJ4BEgBk2 QwrslN956l1ULwKDAL3C+zm1W5DY6BvhKHd2vVOWJGBrQmWfE+tw8dIqRmvlTSw8 GNst147e66G/cSNhhVbR423Y2rJunVZ/MB9lf+Yt9pjbmaT8p4UETy1EmXSvv/0H yDh5Vo2ktN1DMFEpqGz+ZNfHgM4HIWQq6KnoEBH5GLfKt1nlWp2J8244T/1e4iyV zy10XGelWrhTs7zzCaGq0wYoqiCGd+CZVV7CmevHwvVYNoScbOJKAHDgCA+BpL5u 0qDXPjMh2AYwxlGkCOxOuMz4cJUA0waBmhu0/5hwsXSxQywDUN1OVG/Ts7oQH1rf pc/54JuFLzWiVmoJ625xq95BK/s0xVgAuO/iX07Ngh/Chi7X/3qT714jJhkczGCz 7Zs5RE+ZAcKOJT2UH0AQ20hvswxWbqpFLQEnxVtuA7MwcahJ/MRReE5Mu8Ohvs9u kjogltGSEHfDeJXY9gSwIZNEWsbCnMb+AIveOrr6sW8/taR8O0cIB0A2M0l+OMAR wObAP54UMn4= =nvjU -----END PGP SIGNATURE-----