- Issued:
- 2025-03-20
- Updated:
- 2025-03-20
RHSA-2025:3053 - Security Advisory
Synopsis
Important: Gatekeeper v3.15.4
Type/Severity
Security Advisory: Important
Topic
Gatekeeper v3.15.4
Description
Gatekeeper v3.15.4
Gatekeeper is a validating webhook with auditing capabilities that can
enforce custom resource definition-based policies that are run with the
Open Policy Agent (OPA). Gatekeeper is supported through a Red Hat Advanced
Cluster Management for Kubernetes subscription.
Starting in v3.15, the following namespaces are exempt from admission control:
- kube-*
- multicluster-engine
- hypershift
- hive
- rhacs-operator
- open-cluster-*
- openshift-*
To disable the default exempt namespaces, set the namespaces you want on the
object.
Security fix(es):
- golang.org/x/oauth2: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (CVE-2025-22868)
- golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869)
Additional Release Notes:
Solution
For more information, see the following resources:
- See the Gatekeeper
documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/.
- For support and troubleshooting, Gatekeeper is supported through a Red Hat Advanced Cluster Management for
Kubernetes subscription:
https://access.redhat.com/products/red-hat-advanced-cluster-management-for-kubernetes.
- The Open Policy Agent Gatekeeper community collaborates on Slack. Join the
#opa-gatekeeper channel: https://openpolicyagent.slack.com/archives/CDTN970AX.
- Open issues on the Gatekeeper GitHub repository: https://github.com/open-policy-agent/gatekeeper/issues.
- See the installation and upgrade documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/install.
Affected Products
- Gatekeeper 3.15 x86_64
Fixes
- BZ - 2348366 - CVE-2025-22868 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
- BZ - 2348367 - CVE-2025-22869 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
- HYPBLD-606 - New Deliverable Request for Gatekeeper 3.15.4
- ACM-18305 - Release Gatekeeper v3.15.4
- ACM-18536 - [3.15] Gatekeeper autoFromCache=Automatic error when namespaceSeletor is used in match
CVEs
aarch64
| gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94 |
| gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347 |
ppc64le
| gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c |
| gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635 |
s390x
| gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf |
| gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460 |
x86_64
| gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85 |
| gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63 |
| gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
