[RHSA-2022:0580-01] Important: Red Hat OpenShift GitOps security update
Security announcements for all Red Hat products and services.
rhsa-announce at redhat.com
Fri Feb 18 04:12:54 UTC 2022
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift GitOps security update
Advisory ID: RHSA-2022:0580-01
Product: Red Hat OpenShift GitOps
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0580
Issue date: 2022-02-17
CVE Names: CVE-2016-4658 CVE-2019-5827 CVE-2019-13750
CVE-2019-13751 CVE-2019-17594 CVE-2019-17595
CVE-2019-18218 CVE-2019-19603 CVE-2019-20838
CVE-2020-12762 CVE-2020-13435 CVE-2020-14145
CVE-2020-14155 CVE-2020-16135 CVE-2020-24370
CVE-2021-3200 CVE-2021-3426 CVE-2021-3445
CVE-2021-3521 CVE-2021-3572 CVE-2021-3580
CVE-2021-3712 CVE-2021-3800 CVE-2021-20231
CVE-2021-20232 CVE-2021-20271 CVE-2021-22876
CVE-2021-22898 CVE-2021-22925 CVE-2021-27645
CVE-2021-28153 CVE-2021-33560 CVE-2021-33574
CVE-2021-35942 CVE-2021-36084 CVE-2021-36085
CVE-2021-36086 CVE-2021-36087 CVE-2021-37750
CVE-2021-39241 CVE-2021-40346 CVE-2021-42574
CVE-2021-43527 CVE-2021-44790 CVE-2022-24348
=====================================================================
1. Summary:
An update for openshift-gitops-applicationset-container,
openshift-gitops-container, openshift-gitops-kam-delivery-container, and
openshift-gitops-operator-container is now available for Red Hat OpenShift
GitOps 1.2. (GitOps v1.2.2)
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat Openshift GitOps is a declarative way to implement continuous
deployment for cloud native applications.
Security Fix(es):
* gitops: Path traversal and dereference of symlinks when passing Helm
value files (CVE-2022-24348)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files
5. References:
https://access.redhat.com/security/cve/CVE-2016-4658
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-12762
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14145
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-16135
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2021-3200
https://access.redhat.com/security/cve/CVE-2021-3426
https://access.redhat.com/security/cve/CVE-2021-3445
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3572
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-3800
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-22876
https://access.redhat.com/security/cve/CVE-2021-22898
https://access.redhat.com/security/cve/CVE-2021-22925
https://access.redhat.com/security/cve/CVE-2021-27645
https://access.redhat.com/security/cve/CVE-2021-28153
https://access.redhat.com/security/cve/CVE-2021-33560
https://access.redhat.com/security/cve/CVE-2021-33574
https://access.redhat.com/security/cve/CVE-2021-35942
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/cve/CVE-2021-39241
https://access.redhat.com/security/cve/CVE-2021-40346
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2021-43527
https://access.redhat.com/security/cve/CVE-2021-44790
https://access.redhat.com/security/cve/CVE-2022-24348
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYg8cxtzjgjWX9erEAQh+MA//Z2h99jxMHmmgFJr/RGbgIv2O6LNJjAi5
nSRxu6EBAbyDYkagGTZ1HZ+99f4qPiqRCf7HHNfEAJVpGWBgaDPoK6zimmn/mJAV
yuYbmsrlxRASB9p1i0dxjMxv0MEQpwGayIghoZpMf74RiO8rjOIURppJLAeBGp4f
3Pb9JPZ1Ww3tj1CYpJiRCuLi5LsFFyqwrKJM3SnqZ1Sj45hR4zOgtUsS7ZQaxnug
W0UcSByxSq7J3S/p9+reSKc7WySKE+k+CxYU9gMCMMyFFg5BKMnPFrimC16tIQXp
26icWiC3fJe2Z/lC86CPBRQkFx3/BimqvBt5dSrXyewcVVg2aznw+KinBc4F3bXi
XZLDy8u4d/01oT0QHpnUV7+PebIToVByaPUl04ewOFFDS+dMIK2tzXs2dnnq+t8S
DkW9Xcvw/iWOPYXKvV8vOwMHV3W3bCbwrFnfxsLmwvxiqYZtjfkJH7nItyxQZ1S9
tXoNrck75h1ZuiI3Cvu/hIMoCOqqr3dYQmUPGV0RHBzi0EzYWpXqNpx3Xwi/tVcf
VhyD/yNSBM8sAEHTtufJEennedAV4LhAyGk4ZWVuCJER0K7DnaL8xIzr3IjM2AEf
Evc4zHUEzEtIwSOFh9EPgrPiflqUmrquDJdGL2EbYiv3ZHFghQJas4ymHfE0xYVT
zkgyLyA+uwM=
=rtez
-----END PGP SIGNATURE-----
More information about the RHSA-announce
mailing list