RHSA-2025:3498 - Security Advisory

Topic

Red Hat multicluster global hub 1.2.2 general availability release, with
updates to container images and bug fixes.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE links in the References section.

Description

Red Hat multicluster global hub 1.2.2 images

This advisory contains the container images for multicluster
global hub. These container images provide enhancements.

Security Fix(es) from Bugzilla:

• golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869)
• golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in the
References section.

Solution

Before applying this update, make sure all previously released erratas are
relevant and have been applied to your system.

Affected Products

• Multicluster Global Hub 1.2 x86_64

Fixes

• BZ - 2348366 - CVE-2025-22868 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
• BZ - 2348367 - CVE-2025-22869 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh

CVEs

• CVE-2020-11023
• CVE-2022-49043
• CVE-2024-9287
• CVE-2024-56171
• CVE-2025-22868
• CVE-2025-22869
• CVE-2025-24928

References

• https://access.redhat.com/security/updates/classification/#important