Home / mailings [RHSA-2022:6714-01] Moderate: RHACS 3.72 enhancement and security update
Posted on 26 September 2022
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Moderate: RHACS 3.72 enhancement and security update
Advisory ID: RHSA-2022:6714-01
Product: RHACS
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6714
Issue date: 2022-09-26
CVE Names: CVE-2015-20107 CVE-2022-0391 CVE-2022-1292
CVE-2022-1586 CVE-2022-1785 CVE-2022-1897
CVE-2022-1927 CVE-2022-2068 CVE-2022-2097
CVE-2022-24675 CVE-2022-24921 CVE-2022-28327
CVE-2022-29154 CVE-2022-29526 CVE-2022-30631
CVE-2022-32206 CVE-2022-32208 CVE-2022-34903
=====================================================================
1. Summary:
Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes new features and bug fixes.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Release of RHACS 3.72 provides these changes:
New features
* Automatic removal of nonactive clusters from RHACS: RHACS provides the
ability to configure your system to automatically remove nonactive clusters
from RHACS so that you can monitor active clusters only.
* Support for unauthenticated email integration: RHACS now supports
unauthenticated SMTP for email integrations. This is insecure and not
recommended.
* Support for Quay robot accounts: RHACS now supports use of robot accounts
in quay.io integrations. You can create robot accounts in Quay that allow
you to share credentials for use in multiple repositories.
* Ability to view Dockerfile lines in images that introduced components
with Common Vulnerabilities and Exposures (CVEs): In the Images view, under
Image Findings, you can view individual lines in the Dockerfile that
introduced the components that have been identified as containing CVEs.
* Network graph improvements: RHACS 3.72 includes some improvements to the
Network Graph user interface.
Known issue
* RHACS shows the wrong severity when two severities exist for a single
vulnerability in a single distribution. This issue occurs because RHACS
scopes severities by namespace rather than component. There is no
workaround. It is anticipated that an upcoming release will include a fix
for this issue. (ROX-12527)
Bug fixes
* Before this update, the steps to configure OpenShift Container Platform
OAuth for more than one URI were missing. The documentation has been
revised to include instructions for configuring OAuth in OpenShift
Container Platform to use more than one URI. For more information, see
Creating additional routes for the OpenShift Container Platform OAuth
server. (ROX-11296)
* Before this update, the autogenerated image integration, such as a Docker
registry integration, for a cluster is not deleted when the cluster is
removed from Central. This issue is fixed. (ROX-9398)
* Before this update, the Image OS policy criteria did not support regular
expressions, or regex. However, the documentation indicated that regular
expressions were supported. This issue is fixed by adding support for
regular expressions for the Image OS policy criteria. (ROX-12301)
* Before this update, the syslog integration did not respect a configured
TCP proxy. This is now fixed.
* Before this update, the scanner-db pod failed to start when a resource
quota was set for the stackrox namespace, because the init-db container in
the pod did not have any resources assigned to it. The init-db container
for ScannerDB now specifies resource requests and limits that match the db
container. (ROX-12291)
Notable technical changes
* Scanning support for Red Hat Enterprise Linux 9: RHEL 9 is now generally
available (GA). RHACS 3.72 introduces support for analyzing images built
with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux
(RHEL) 9 RPMs for vulnerabilities.
* Policy for CVEs with fixable CVSS of 6 or greater disabled by default:
Beginning with this release, the Fixable CVSS >= 6 and Privileged policy is
no longer enabled by default for new RHACS installations. The configuration
of this policy is not changed when upgrading an existing system. A new
policy Privileged Containers with Important and Critical Fixable CVEs,
which gives an alert for containers running in privileged mode that have
important or critical fixable vulnerabilities, has been added.
Security Fix(es)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* golang: regexp: stack exhaustion via a deeply nested expression
(CVE-2022-24921)
* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
To take advantage of the new features, bug fixes, and enhancements in RHACS
3.72 you are advised to upgrade to RHACS 3.72.0.
4. Bugs fixed (https://bugzilla.redhat.com/):
2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
5. JIRA issues fixed (https://issues.jboss.org/):
ROX-12799 - Release RHACS 3.72.0
6. References:
https://access.redhat.com/security/cve/CVE-2015-20107
https://access.redhat.com/security/cve/CVE-2022-0391
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-24921
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-29526
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/cve/CVE-2022-34903
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/acs/3.72/release_notes/372-release-notes.html
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.