RHSA-2021:3949 - Security Advisory

Topic

Red Hat Advanced Cluster Management for Kubernetes 2.1.12 General Availability release images, which provide security fixes and update the container images.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat Advanced Cluster Management for Kubernetes 2.1.12 images

Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.

This advisory contains updates to one or more container images for Red Hat Advanced Cluster Management for Kubernetes. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.1/html/release_notes/

Security fixes:

• redis: Lua scripts can overflow the heap-based Lua stack (CVE-2021-32626)
• redis: Integer overflow issue with Streams (CVE-2021-32627)
• redis: Integer overflow bug in the ziplist data structure

(CVE-2021-32628)

• redis: Integer overflow issue with intsets (CVE-2021-32687)
• redis: Integer overflow issue with strings (CVE-2021-41099)
• redis: Denial of service via Redis Standard Protocol (RESP) request (CVE-2021-32675)
• redis: Out of bounds read in lua debugger protocol parser (CVE-2021-32672)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Container updates:

• RHACM 2.1.12 images (BZ# 2007489)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

• Important:* This upgrade of Red Hat Advanced Cluster Management for Kubernetes

is not supported when you are running Red Hat Advanced Cluster Management on
Red Hat OpenShift Container Platform version 4.5. To apply this upgrade, you
must upgrade your OpenShift Container Platform version to 4.6, or later.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.1/html/install/installing#upgrading-by-using-the-operator

Affected Products

• Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8 x86_64
• Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7 x86_64

Fixes

• BZ - 2007489 - RHACM 2.1.12 images
• BZ - 2010991 - CVE-2021-32687 redis: Integer overflow issue with intsets
• BZ - 2011000 - CVE-2021-32675 redis: Denial of service via Redis Standard Protocol (RESP) request
• BZ - 2011001 - CVE-2021-32672 redis: Out of bounds read in lua debugger protocol parser
• BZ - 2011004 - CVE-2021-32628 redis: Integer overflow bug in the ziplist data structure
• BZ - 2011010 - CVE-2021-32627 redis: Integer overflow issue with Streams
• BZ - 2011017 - CVE-2021-32626 redis: Lua scripts can overflow the heap-based Lua stack
• BZ - 2011020 - CVE-2021-41099 redis: Integer overflow issue with strings

CVEs

• CVE-2016-4658
• CVE-2021-3653
• CVE-2021-3656
• CVE-2021-22543
• CVE-2021-22922
• CVE-2021-22923
• CVE-2021-22924
• CVE-2021-23840
• CVE-2021-23841
• CVE-2021-32626
• CVE-2021-32627
• CVE-2021-32628
• CVE-2021-32672
• CVE-2021-32675
• CVE-2021-32687
• CVE-2021-36222
• CVE-2021-37576
• CVE-2021-37750
• CVE-2021-41099

References

• https://access.redhat.com/security/updates/classification/#important