RHSA-2025:11479 - Security Advisory

Topic

Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes security and bug fixes.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

This release of RHACS 4.7.5 includes security and bug fixes. If you are
using an earlier version of RHACS 4.7, you are advised to upgrade to this
patch release 4.7.5.

Bugs fixed:

• Before this update, incorrect interpretation of Red Hat Enterprise Linux (RHEL) 10 Common Platform Enumeration (CPE) strings caused Scanner V4 to fail distribution checks on RHEL 10 systems. With this update, an updated RHEL CPE major version pattern resolves the issue, and Scanner V4 can now correctly support RHEL 10.
• Before this update, the failure of Sensor to call stream.Recv() caused gRPC flow control to block image reprocessing every 4 hours. With this update, the reprocessing loop includes a timeout for sending messages to Sensors, which resolves the issue and resumes the image reprocessing as expected.
• Before this update, you could observe excessive logging of telemetry collection status, resulting in log spam. With this update, the telemetry collection has been configured to not emit repeated logs continuously, which resolves the issue and significantly reduces the log volume.
• Before this update, a flaw in the signature verification algorithm caused valid signatures to be reported as invalid if they had a certain payload format. With this update, the enhanced robustness of the algorithm resolves the issue, and the system can now correctly assess the validity of signatures.

Security issue(s) fixed:

• Flaw in net/http allowed request smuggling due to improper handling of bare line feed (LF) in chunked data. (CVE-2025-22871)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Solution

If you are using an earlier version of RHACS 4.7, you are advised to upgrade to this patch release 4.7.5.

Affected Products

• Red Hat Advanced Cluster Security for Kubernetes 4 x86_64
• Red Hat Advanced Cluster Security for Kubernetes for IBM Z and LinuxONE 4 s390x
• Red Hat Advanced Cluster Security for Kubernetes for IBM Power, little endian 4 ppc64le
• Red Hat Advanced Cluster Security for Kubernetes for ARM 4 aarch64

Fixes

• BZ - 2358493 - CVE-2025-22871 net/http: Request smuggling due to acceptance of invalid chunked data in net/http
• ROX-30092 - Release RHACS 4.7.5

CVEs

• CVE-2019-17543
• CVE-2023-40403
• CVE-2024-12718
• CVE-2024-23337
• CVE-2024-53920
• CVE-2025-4138
• CVE-2025-4330
• CVE-2025-4435
• CVE-2025-4517
• CVE-2025-4802
• CVE-2025-6020
• CVE-2025-6021
• CVE-2025-22871
• CVE-2025-47273
• CVE-2025-48060
• CVE-2025-49794
• CVE-2025-49796

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.7/html/release_notes/release-notes-47