[RHSA-2023:4650-01] Critical: Multicluster Engine for Kubernetes 2.2.7 security updates and bug fixes

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Mon Aug 14 20:20:30 UTC 2023 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: Multicluster Engine for Kubernetes 2.2.7 security updates and bug fixes
Advisory ID:       RHSA-2023:4650-01
Product:           multicluster engine for Kubernetes
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4650
Issue date:        2023-08-14
CVE Names:         CVE-2020-24736 CVE-2023-1667 CVE-2023-2283 
                   CVE-2023-2602 CVE-2023-2603 CVE-2023-2828 
                   CVE-2023-3089 CVE-2023-27536 CVE-2023-28321 
                   CVE-2023-28484 CVE-2023-29469 CVE-2023-32681 
                   CVE-2023-34969 CVE-2023-37903 CVE-2023-38408 
=====================================================================

1. Summary:

Multicluster Engine for Kubernetes 2.2.7 General Availability release
images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Multicluster Engine for Kubernetes 2.2.7 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fix(es):
* CVE-2023-3089 openshift: OCP & FIPS mode
* CVE-2023-37903 vm2: custom inspect function allows attackers to escape
the sandbox and run arbitrary code

3. Solution:

For information and instructions for these updates, see the following
article: https://access.redhat.com/solutions/7022540.

For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode
2224969 - CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code

5. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-2828
https://access.redhat.com/security/cve/CVE-2023-3089
https://access.redhat.com/security/cve/CVE-2023-27536
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-32681
https://access.redhat.com/security/cve/CVE-2023-34969
https://access.redhat.com/security/cve/CVE-2023-37903
https://access.redhat.com/security/cve/CVE-2023-38408
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk2oyOAAoJENzjgjWX9erES9IP/ia7OvrxHKrr9Y/vEtjWONNe
FuAcQnXYC+Z353sjLypA9aPb92zLkk6gdDlAASl5jJyJSCu8ArnDJbbuEsLTuDB4
7hpgyy+IE/0U1fCy4TaF87kRBjPHfPbyrlEJe2lpTJFFqPNxUXbDN1SMRB162cAN
ZVdhxbRbNKIo4B+dwmHG6S71qOlYYeD0ju9aRDQhFGlGKEj5JYFc2meFNdkE/07x
ah575UrYN2jtC0fepWPUny9EDotEtuYGAKyE7M5O+gHdNu5aBCCiizjcjZRgfX6a
FRRYuVrvE7qKjs6Z7/XAlUta1ut/LVUE0H+yAM8wLnLe0KcFVXgSeCe5+BX2IdrY
wtQ81kQqimqCuqugNNhILTJZvYfie6rxPsozJEycKwsAyHMzEnEJCToIdnroClX0
JzbZ9pypxzBRRxfe862GrXJ592rbsJJQFGNQgoOB+tsiOmbBQCDAOnCq3ZLIaBx8
NsBxcshlDlI7MnDgJz2+tN+nnMWK88tuR+4zI8iOqZlxxMQQshxJchTs+3ZckNwR
84rffOay80r6VwsUU4+p099CaNj3pI8VzzkLSQn7dZAOuK+L1NEc8TyAEAOHAMNi
lm/gDUy469tnGFHuJFi23ZAbyCLk5NTBLa0OvzqkuLQ4NqWzgI/n1YID9NxGISsY
Ne55NzOKyUQAul8Ktg5F
=Uuh2
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list