RHSA-2023:3943 - Security Advisory

Topic

Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The release of ACS 4.1 provides these changes:

Security Fix(es):

• golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
• net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
• golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
• golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
• golang: go/parser: Infinite loop in parsing (CVE-2023-24537)
• golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

New features:

• Manual renewal of Central and Sensor certificates
• Vulnerability Management 2.0 (Technology Preview)
• RHACS Cloud Service scanning support for images pulled from on-premise registries
• eBPF collection method on IBM Z and IBM® LinuxONE
• Ability to configure the display of default compliance standards in the Compliance Dashboard
• Declarative configurations for authentication and authorization
• SSO configuration using the roxctl CLI
• New collection method based on BPF CO-RE (Technology Preview)
• Network graph updates
• Policy Management simplification
• New permission sets
• Improvements for Sensor resync (General Availability)

For notable technical changes, deprecated and removed features, bug fixes, and known issues, refer to the Release Notes.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Advanced Cluster Security for Kubernetes 4 x86_64
• Red Hat Advanced Cluster Security for Kubernetes for IBM Z and LinuxONE 4 s390x
• Red Hat Advanced Cluster Security for Kubernetes for IBM Power, little endian 4 ppc64le

Fixes

• BZ - 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
• BZ - 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
• BZ - 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
• BZ - 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
• BZ - 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
• BZ - 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
• ROX-18018 - Release RHACS 4.1.0

CVEs

• CVE-2020-24736
• CVE-2022-27191
• CVE-2022-41723
• CVE-2023-1667
• CVE-2023-2283
• CVE-2023-24329
• CVE-2023-24534
• CVE-2023-24536
• CVE-2023-24537
• CVE-2023-24538
• CVE-2023-26604
• CVE-2023-32067

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://docs.openshift.com/acs/4.1/release_notes/41-release-notes.html