First published: Wed Dec 01 2021(Updated: )
The release of RHACS 3.67 provides the following new features, bug fixes, security patches and system changes:<br>OpenShift Dedicated support<br>RHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform.<br>1. Use OpenShift OAuth server as an identity provider<br>If you are using RHACS with OpenShift, you can now configure the built-in OpenShift OAuth server as an identity provider for RHACS. <br>2. Enhancements for CI outputs<br>Red Hat has improved the usability of RHACS CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds.<br>3. Runtime Class policy criteria<br>Users can now use RHACS to define the container runtime configuration that may be used to run a pod’s containers using the Runtime Class policy criteria.<br>Security Fix(es):<br><li> civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API (CVE-2020-27304)</li> <li> nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)</li> <li> nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801)</li> <li> golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)</li> <li> helm: information disclosure vulnerability (CVE-2021-32690)</li> <li> golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)</li> <li> nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.<br>Bug Fixes<br>The release of RHACS 3.67 includes the following bug fixes:<br>1. Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This has been fixed.<br>2. Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed.<br>System changes<br>The release of RHACS 3.67 includes the following system changes:<br>1. Scanner now identifies vulnerabilities in Ubuntu 21.10 images.<br>2. The Port exposure method policy criteria now include route as an exposure method.<br>3. The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation.<br>4. The OpenShift Compliance Operator integration now supports using TailoredProfiles.<br>5. The RHACS Jenkins plugin now provides additional security information.<br>6. When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values.<br>7. The default uid:gid pair for the Scanner image is now 65534:65534.<br>8. RHACS adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes.<br>9. If microdnf is part of an image or shows up in process execution, RHACS reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies.<br>10. In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode. <br>11. You can now format the output of the following roxctl CLI commands in table, csv, or JSON format: image scan, image check & deployment check<br>12. You can now use a regular expression for the deployment name while specifying policy exclusions
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.