RHSA-2022:8827: Low: RHACS 3.73 enhancement and security update

First published: Tue Dec 06 2022(Updated: )

Release of RHACS 3.73 provides these changes:<br>New features:<br><li> Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.</li> <li> Improved Vulnerability Management dashboard for ACSCS users.</li> <li> PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.</li> <li> A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.</li> Notable technical changes:<br><li> RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see <a href="https://access.redhat.com/articles/6986289" target="_blank">https://access.redhat.com/articles/6986289</a> and contact Red Hat Consulting.</li> <li> Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)</li> <li> The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.</li> <li> The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.</li> Notice of in-product docs removal:<br><li> Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)</li> Bug fixes:<br><li> Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)</li> <li> Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)</li> Security Fix(es):<br><li> imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)</li> <li> app-containers/cosign: false positive verification (CVE-2022-36056)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2022:8827
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type