RHSA-2022:6714 - Security Advisory

Topic

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes new features and bug fixes.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Release of RHACS 3.72 provides these changes:

New features

• Automatic removal of nonactive clusters from RHACS: RHACS provides the ability to configure your system to automatically remove nonactive clusters from RHACS so that you can monitor active clusters only.
• Support for unauthenticated email integration: RHACS now supports unauthenticated SMTP for email integrations. This is insecure and not recommended.
• Support for Quay robot accounts: RHACS now supports use of robot accounts in quay.io integrations. You can create robot accounts in Quay that allow you to share credentials for use in multiple repositories.
• Ability to view Dockerfile lines in images that introduced components with Common Vulnerabilities and Exposures (CVEs): In the Images view, under Image Findings, you can view individual lines in the Dockerfile that introduced the components that have been identified as containing CVEs.
• Network graph improvements: RHACS 3.72 includes some improvements to the Network Graph user interface.

Known issue

• RHACS shows the wrong severity when two severities exist for a single vulnerability in a single distribution. This issue occurs because RHACS scopes severities by namespace rather than component. There is no workaround. It is anticipated that an upcoming release will include a fix for this issue. (ROX-12527)

Bug fixes

• Before this update, the steps to configure OpenShift Container Platform OAuth for more than one URI were missing. The documentation has been revised to include instructions for configuring OAuth in OpenShift Container Platform to use more than one URI. For more information, see Creating additional routes for the OpenShift Container Platform OAuth server. (ROX-11296)
• Before this update, the autogenerated image integration, such as a Docker registry integration, for a cluster is not deleted when the cluster is removed from Central. This issue is fixed. (ROX-9398)
• Before this update, the Image OS policy criteria did not support regular expressions, or regex. However, the documentation indicated that regular expressions were supported. This issue is fixed by adding support for regular expressions for the Image OS policy criteria. (ROX-12301)
• Before this update, the syslog integration did not respect a configured TCP proxy. This is now fixed.
• Before this update, the scanner-db pod failed to start when a resource quota was set for the stackrox namespace, because the init-db container in the pod did not have any resources assigned to it. The init-db container for ScannerDB now specifies resource requests and limits that match the db container. (ROX-12291)

Notable technical changes

• Scanning support for Red Hat Enterprise Linux 9: RHEL 9 is now generally available (GA). RHACS 3.72 introduces support for analyzing images built with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux (RHEL) 9 RPMs for vulnerabilities.
• Policy for CVEs with fixable CVSS of 6 or greater disabled by default: Beginning with this release, the Fixable CVSS >= 6 and Privileged policy is no longer enabled by default for new RHACS installations. The configuration of this policy is not changed when upgrading an existing system. A new policy Privileged Containers with Important and Critical Fixable CVEs, which gives an alert for containers running in privileged mode that have important or critical fixable vulnerabilities, has been added.

Security Fix(es)

• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
• golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921)
• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
• golang: syscall: faccessat checks wrong group (CVE-2022-29526)
• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

To take advantage of the new features, bug fixes, and enhancements in RHACS 3.72 you are advised to upgrade to RHACS 3.72.0.

Affected Products

• Red Hat Advanced Cluster Security for Kubernetes 3 x86_64

Fixes

• BZ - 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
• BZ - 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
• BZ - 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
• BZ - 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
• BZ - 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• ROX-12799 - Release RHACS 3.72.0

CVEs

• CVE-2015-20107
• CVE-2022-0391
• CVE-2022-1292
• CVE-2022-1586
• CVE-2022-1785
• CVE-2022-1897
• CVE-2022-1927
• CVE-2022-2068
• CVE-2022-2097
• CVE-2022-24675
• CVE-2022-24921
• CVE-2022-28327
• CVE-2022-29154
• CVE-2022-29526
• CVE-2022-30631
• CVE-2022-32206
• CVE-2022-32208
• CVE-2022-34903

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://docs.openshift.com/acs/3.72/release_notes/372-release-notes.html