Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0460
Red Hat OpenShift GitOps security update
27 January 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift GitOps
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-22736 CVE-2023-22482 CVE-2022-43680
CVE-2022-42012 CVE-2022-42011 CVE-2022-42010
CVE-2022-40304 CVE-2022-40303 CVE-2022-35737
CVE-2022-3821 CVE-2021-46848
Original Bulletin:
https://access.redhat.com/errata/RHSA-2023:0467
Comment: CVSS (Max): 8.8 CVE-2023-22482 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift GitOps security update
Advisory ID: RHSA-2023:0467-01
Product: Red Hat OpenShift GitOps
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0467
Issue date: 2023-01-25
CVE Names: CVE-2021-46848 CVE-2022-3821 CVE-2022-35737
CVE-2022-40303 CVE-2022-40304 CVE-2022-42010
CVE-2022-42011 CVE-2022-42012 CVE-2022-43680
CVE-2023-22482 CVE-2023-22736
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift GitOps 1.7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat Openshift GitOps is a declarative way to implement continuous
deployment for cloud native applications.
Security Fix(es):
* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)
* ArgoCD: authorization bypass (CVE-2023-22736)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2160492 - CVE-2023-22482 ArgoCD: JWT audience claim is not verified
2162517 - CVE-2023-22736 argocd: Controller reconciles apps outside configured namespaces when sharding is enabled
5. References:
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-3821
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/cve/CVE-2023-22482
https://access.redhat.com/security/cve/CVE-2023-22736
https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY9GucdzjgjWX9erEAQh86w//faaz9Ywaa6wfhtz+5MrYTWddEx8DKiek
Kb5/Hk9T2czE1HJVAKhh9iWSkBlGtTeEAkSmRohFOrElF5VJ5CVfalnDS3x2W6VV
KMf+Qnrw1+apt3BA+yNQA4KAvwIVL9/+QS0c0UsakWTtrY+cSLwDEIIzcXFJbL1I
R3UAAoGwqk7Q2qS7x7Z1NrG+sOmkCa3q5WerKciQa8YVeLf5zwlq07sEFlpEfPMs
PLfIU0aHcceRqFv6NLl7Q1bABtPl3WrveRDaR8QA+sFvAR9X1wMT17Mfkfg0OzYj
v82Isvya5AYA5lP1cfPxVc7U3PG23x4JpJykn3khNpzdIHWHK8n8BZTIO3mXl3PX
3fPfLtcQ1M9LCb5ivnLiSsORxya7DoYFBjnL9o9ULyv8mwj2JfbtbVeTBkPzXEFK
xFI+Tl5bABdo0MJhrK8pbq/uV8I708QoznXSWB5Lq2WTz+xYItYXhAG4oPNVoaaR
cQeIu3i5VDi9VRaohotjMuxN7dXmZkwLJWQ55idKxk5Ul+L7DoLh0LMnVIXDMRV3
TfEFLFod/zt1yx2T9nqe33pCYJHLtFail24YjMpcFvvGXKKSioH9Y8DjHnUgCgz7
wuOGI3kxn9J8kL561UtKREIR6arNZR9Ht/zKXXF82uZnBT+KVCQX6M4TvNp/oaAD
wm5RXj9L40I=
=uoKQ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY9MrnskNZI30y1K9AQiY9Q//SHM0xbl6/teM48P5yR6fc4EGDEbe3rcC
AqU+UZ1GBMgr8j4dacYhOkHhYGCxmA1SU+4/PPG9Yi4TPozrJvKJc029WLh/HoLH
ABsYTw+SEv0+A6l5tgQaBb2XAxNHU8hlZUVAzt3T0z9/tgo5xQtezJHhNyqkyoSl
qKsmxnAoliQ7vdYCj8ggUAT34N254S4ciIB1j0Lre3tWgqD/8hk723Bn7Mm5E97z
CXaoVqPTv9mbLlk7eYAPme5NDcUDrf9FkfKsrKkg+95hVArKdzg2pyhzaX15QT8R
fC8gZKgMFE9Mc+KmuqSsb4vArjFTQQTn+7y78FaElPjrkjEyvMfdPitWMuNV77/n
BB5vHvzztQMItV23qMO6b5ggo55q+fwm1br8HLeF8Bq9a9HtHMF2TNkviS7HLc8x
GOFQoNw+FrC2JJru8GfAlH5Xm2WeuA7ImiCi8k7+9mMkhTQ6WRMrusp10mHgWPif
AeqyRBamCApkxXOKg3euGW84KiM0iP28yoMoVWVm/asxRNLPWk4YQ5NZTo/We4G/
CAO1xQkT4iq4mkvcwxjk1xZjcZ5Ltr8zn38VLme49sGXzMr5+lZKfh8Yd+5NV03W
sO4xz46SRxCKmiyYLqQDwJNsRL9L4PpKfVU/2z42veSuCHWv92RmNMkVVCCoZbJd
uXmVn5JagIU=
=T8vh
-----END PGP SIGNATURE-----