RHSA-2022:1681: Moderate: Red Hat Advanced Cluster Management 2.4.4 security updates and bug fixes

First published: Tue May 03 2022(Updated: )

Red Hat Advanced Cluster Management for Kubernetes 2.4.4 images<br>Red Hat Advanced Cluster Management for Kubernetes provides the<br>capabilities to address common challenges that administrators and site<br>reliability engineers face as they work across a range of public and<br>private cloud environments. Clusters and applications are all visible and<br>managed from a single console—with security policy built in.<br>This advisory contains the container images for Red Hat Advanced Cluster<br>Management for Kubernetes, which fix several bugs. See the following<br>Release Notes documentation, which will be updated shortly for this<br>release, for additional details about this release:<br><a href="https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/" target="_blank">https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/</a> Security fixes:<br><li> Vm2: vulnerable to Sandbox Bypass (CVE-2021-23555)</li> <li> Golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)</li> <li> Follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)</li> <li> Node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)</li> <li> Follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)</li> <li> Urijs: Authorization Bypass Through User-Controlled Key (CVE-2022-0613)</li> <li> Nconf: Prototype pollution in memory store (CVE-2022-21803)</li> <li> Nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account (CVE-2022-24450)</li> <li> Urijs: Leading white space bypasses protocol validation (CVE-2022-24723)</li> <li> Node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771)</li> <li> Node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772)</li> <li> Node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773)</li> <li> Cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-1365)</li> <li> Moment.js: Path traversal in moment.locale (CVE-2022-24785)</li> Bug fixes:<br><li> Failed ClusterDeployment validation errors do not surface through the ClusterPool UI (Bugzilla #1995380)</li> <li> Agents wrong validation failure on failing to fetch image needed for installation (Bugzilla #2008583)</li> <li> Fix catalogsource name (Bugzilla #2038250)</li> <li> When the ocp console operator is disable on the managed cluster, the cluster claims failed to update (Bugzilla #2057761)</li> <li> Multicluster-operators-hub-subscription OOMKilled (Bugzilla #2053308)</li> <li> RHACM 2.4.1 Console becomes unstable and refuses login after one hour (Bugzilla #2061958)</li> <li> RHACM 2.4.4 images (Bugzilla #2077548)</li>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/severity
• agent/type
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2022:1681
• agent/source
• agent/title
• agent/weakness
• agent/remedy
• agent/description
• agent/tags
• agent/softwarecombine
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/red hat
• canonical/red hat advanced cluster management