[RHSA-2022:0431-06] Moderate: Red Hat Advanced Cluster Security 3.68 security and enhancement update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Thu Feb 3 17:21:58 UTC 2022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Security 3.68 security and enhancement update
Advisory ID:       RHSA-2022:0431-01
Product:           RHACS
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0431
Issue date:        2022-02-03
CVE Names:         CVE-2021-3712 CVE-2021-29923 CVE-2021-42574 
=====================================================================

1. Summary:

Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes a bug fixes, security
patches and new feature enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

New features
1. Vulnerability triage workflows - RHACS 3.68 includes the ability to
triage vulnerabilities in a variety of ways to support your vulnerability
management process. See Managing vulnerabilities for more information.
2. Report scheduling for vulnerabilities - RHACS 3.68 includes the ability
to schedule reports for vulnerabilities helping you to send scheduled
communications to key stakeholders to assist in the vulnerability
management process. See Reporting vulnerabilities to teams for more
information.
3. Use AWS ECR AssumeRoles - AWS AssumeRoles allows you to define roles
with specific permissions and then granting users access to those roles.
{product-title} 3.68 includes the ability to use AWS ECR AssumeRoles to
configure roles and grant various levels of access to users. For more
details, see Using assumerole with Amazon ECR.

Important bug fixes

1. Previously, searching for CVE’s with a specific severity did not
returned any results. This issue has been fixed.
2. Previously, when configuring the Manage Watches feature, if you added
more than 12 images to the watch list, the image list would not display
properly. This issue has been fixed.
3. Previously, when the RHACS Operator accessed the central-htpasswd
secret, it would create a false positive policy violation for the
OpenShift: Advanced Cluster Security Central Admin Secret Accessed default
policy. This issue has been fixed.

Security update

1. In earlier versions of RHACS, the write permission for the APIToken
resource allowed users to create API tokens for any role, including the
admin role. This issue has been fixed.
2. The scanner image has been updated to patch CVE-2021-29923.
* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)

Important system changes

1. RHACS 3.68 includes updates for the Log4Shell vulnerability detection
policy. With this update this policy also detects CVE-2021-45046 and it
includes the updated remediation based on the latest guidance by the Apache
Logging security team.
2. When you upgrade to RHACS 3.68, roles that include write access on the
Images resource will have write permissions for both
VulnerabilityManagementRequests and VulnerabilityManagementApprovals
resource. Red Hat recommends updating the roles to only include the least
amount of resources required for each role.
3. If you have installed RHACS using Helm, this update disabled the cluster
configuration options in the {product-title-short} portal. You can continue
to use Helm configuration files.
4. RHACS 3.68 sends notifications for every runtime policy violation rather
than sending notifications only the first encountered violation. This is
the default behavior.
5. Tags of the scanner, scanner-db, and collector images, including the
collector-slim variant, are now identical to the main image tag.
6. Red Has changed the image names for collector-slim. -slim is no longer
part of the image tag.
7. The roxctl CLI includes a new --image-defaults option for the roxctl
helm output and roxctl central generate commands. It allows selecting the
default registry from which container images are taken for deploying
central and scanner.
8. Red Hat has deprecated the --rhacs option for the roxctl helm output
command. Use --rhacs-image-defaults option instead.
9. By default, the roxctl helm output command now uses the images from
registry.redhat.io rather than stackrox.io.

3. Solution:

To take advantage of the new features, bug fixes and security patches
issued in 3.68 you are advised to upgrade to patch release 3.68.0.

4. Bugs fixed (https://bugzilla.redhat.com/):

1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet

5. JIRA issues fixed (https://issues.jboss.org/):

RHACS-110 - Release RHACS 3.68.0
RHACS-94 - stackrox.io is still default image source in output of "roxctl central generate"

6. References:

https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYfwPNtzjgjWX9erEAQh2/Q/7BQtG1eujhb+cs4AlqkoQHZ8bqYr+gRkr
FUb5IJHESWOOourFzP2u4Ihs+nnFycJPQ0uUd8RUJrCXBTU/EneykhP8DxYrx0HT
2/Rkmv1SJuq+uIUx4Bvc9ieSeHRcAAHZb9Tpnj9MUci732mW0OhUOebxEtvA307z
M4nS+XPcqIZhwYZwP37u+wemh8Fu5Xwi1NQ5iqQUQtht9HjIWX0Uzl7fGRQ/QfbW
Ye1wakssfVVc+DPBCNMRy1bM9YAo0wRIFgCCORNcxXqSn5zHE6PeOQXA57K65fUI
JKwRz3vih9TE3gzwCMVSoMtWhHDQD0lqa6cqvkkbmrFoS66zSAmuORsWGK7GB1nP
X8xbBWy1TulLwN/73sBKnQ1jMdk1k2sVr4AvBvdVrS/y2MTMTBi44co99Jy85n5O
9IkW/Dv7AmYkHnTVjZzKP5DST3xsyeCAyVOm144ztAZsW7Vw+6V9XE+xW7TUF6q/
hZoaLQbSIJPfz2+uXwbieGiNh7bummg1mGWa7aed2I+0dd6h6Ko9iQQhxl37Qu/X
X/BkQRGoRLHXfGxmPTTtw6xhgGtKQ3Yk+4ExQF9Npz9mBNgaAvyHHKQUBm8Q19y9
WpHaSMjJcFpKn7zylGml+IS0AxHxm0q7pYy41obuGSTpnAT9GcJsgVIIKVivvGgY
eH69S/bKdsk=
=9PYz
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list