RHSA-2023:0631 - Security Advisory

Topic

Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

Description

Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud.

For more information about Submariner, see the Submariner open source community website at: https://submariner.io/.

This advisory contains bug fixes and enhancements to the Submariner container images.

Security fixes:

• CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

Bugs addressed:

• subctl diagnose firewall metrics does not work on merged kubeconfig (BZ# 2013711)
• [Submariner] - Fails to increase gateway amount after deployment (BZ# 2097381)
• Submariner gateway node does not get deleted with subctl cloud cleanup command (BZ# 2108634)
• submariner GW pods are unable to resolve the DNS of the Broker K8s API URL (BZ# 2119362)
• Submariner gateway node does not get deployed after applying ManagedClusterAddOn on Openstack (BZ# 2124219)
• unable to run subctl benchmark latency, pods fail with ImagePullBackOff (BZ# 2130326)
• [IBM Z] - Submariner addon unistallation doesnt work from ACM console (BZ# 2136442)
• Tags on AWS security group for gateway node break cloud-controller LoadBalancer (BZ# 2139477)
• RHACM - Submariner: UI support for OpenStack #19297 (ACM-1242)
• Submariner OVN support (ACM-1358)
• Submariner Azure Console support (ACM-1388)
• ManagedClusterSet consumers migrate to v1beta2 (ACM-1614)
• Submariner on disconnected ACM #22000 (ACM-1678)
• Submariner gateway: Error creating AWS security group if already exists (ACM-2055)
• Submariner gateway security group in AWS not deleted when uninstalling submariner (ACM-2057)
• The submariner-metrics-proxy pod pulls an image with wrong naming convention (ACM-2058)
• The submariner-metrics-proxy pod is not part of the Agent readiness check (ACM-2067)
• Subctl 0.14.0 prints version "vsubctl" (ACM-2132)
• managedclusters "local-cluster" not found and missing Submariner Broker CRD (ACM-2145)
• Add support of ARO to Submariner deployment (ACM-2150)
• The e2e tests execution fails for "Basic TCP connectivity" tests (ACM-2204)
• Gateway error shown "diagnose all" tests (ACM-2206)
• Submariner does not support cluster "kube-proxy ipvs mode"(ACM-2211)
• Vsphere cluster shows Pod Security admission controller warnings (ACM-2256)
• Cannot use submariner with OSP and self signed certs (ACM-2274)
• Subctl diagnose tests spawn nettest image with wrong tag nameing convention (ACM-2387)
• Subctl 0.14.1 prints version "devel" (ACM-2482)

Solution

For details on how to install Submariner, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/add-ons/submariner#deploying-submariner-console

and

https://submariner.io/getting-started/

Affected Products

• Red Hat Advanced Cluster Management for Kubernetes 2 for RHEL 8 x86_64

Fixes

• BZ - 2013711 - subctl diagnose firewall metrics does not work on merged kubeconfig
• BZ - 2097381 - [Submariner] - Fails to increase gateway amount after deployment
• BZ - 2108634 - Submariner gateway node does not get deleted with subctl cloud cleanup command
• BZ - 2119362 - submariner GW pods are unable to resolve the DNS of the Broker K8s API URL
• BZ - 2124219 - Submariner gateway node does not get deployed after applying ManagedClusterAddOn on Openstack
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2130326 - unable to run subctl benchmark latency, pods fail with ImagePullBackOff
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2136442 - [IBM Z] - Submariner addon unistallation doesnt work from ACM console
• BZ - 2139477 - Tags on AWS security group for gateway node break cloud-controller LoadBalancer
• BZ - 2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
• ACM-1614 - ManagedClusterSet consumers migrate to v1beta2 (Submariner)
• ACM-2055 - Submariner gateway: Error creating AWS security group if already exists
• ACM-2057 - [Submariner] - submariner gateway security group in aws not deleted when uninstalling submariner
• ACM-2058 - [Submariner] - The submariner-metrics-proxy pod pulls an image with wrong naming convention
• ACM-2067 - [Submariner] - The submariner-metrics-proxy pod is not part of the Agent readiness check
• ACM-2132 - Subctl 0.14.0 prints version "vsubctl"
• ACM-2145 - managedclusters "local-cluster" not found and missing Submariner Broker CRD
• ACM-2150 - Add support of ARO to Submariner deployment
• ACM-2204 - [Submariner] - e2e tests execution fails for "Basic TCP connectivity" tests
• ACM-2206 - [Submariner] - Gateway error shown "diagnose all" tests
• ACM-2211 - [Submariner] - Submariner does not support cluster "kube-proxy ipvs mode"
• ACM-2256 - [Submariner] - Vsphere cluster shows Pod Security admission controller warnings
• ACM-2274 - Cannot use submariner with OSP and self signed certs
• ACM-2387 - [Submariner] - subctl diagnose tests spawn nettest image with wrong tag nameing convention
• ACM-2482 - Subctl 0.14.1 prints version "devel"

CVEs

• CVE-2021-46848
• CVE-2022-1304
• CVE-2022-2509
• CVE-2022-2601
• CVE-2022-2880
• CVE-2022-3515
• CVE-2022-3775
• CVE-2022-3787
• CVE-2022-22624
• CVE-2022-22628
• CVE-2022-22629
• CVE-2022-22662
• CVE-2022-26700
• CVE-2022-26709
• CVE-2022-26710
• CVE-2022-26716
• CVE-2022-26717
• CVE-2022-26719
• CVE-2022-27664
• CVE-2022-30293
• CVE-2022-30698
• CVE-2022-30699
• CVE-2022-35737
• CVE-2022-40303
• CVE-2022-40304
• CVE-2022-41715
• CVE-2022-41717
• CVE-2022-42010
• CVE-2022-42011
• CVE-2022-42012
• CVE-2022-42898
• CVE-2022-43680

References

• https://access.redhat.com/security/updates/classification/#moderate