-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.3.8 security and container updates
Advisory ID:       RHSA-2022:1083-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1083
Issue date:        2022-03-28
CVE Names:         CVE-2021-0920 CVE-2021-3999 CVE-2021-4154 
                   CVE-2021-23177 CVE-2021-23566 CVE-2021-31566 
                   CVE-2021-45960 CVE-2021-46143 CVE-2022-0144 
                   CVE-2022-0155 CVE-2022-0235 CVE-2022-0261 
                   CVE-2022-0318 CVE-2022-0330 CVE-2022-0359 
                   CVE-2022-0361 CVE-2022-0392 CVE-2022-0413 
                   CVE-2022-0435 CVE-2022-0492 CVE-2022-0516 
                   CVE-2022-0536 CVE-2022-0847 CVE-2022-22822 
                   CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 
                   CVE-2022-22826 CVE-2022-22827 CVE-2022-22942 
                   CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 
                   CVE-2022-23852 CVE-2022-25235 CVE-2022-25236 
                   CVE-2022-25315 
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.3.8 General
Availability release images, which provide security and container updates.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.3.8 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/

Security updates:

* nanoid: Information disclosure via valueOf() function (CVE-2021-23566)

* nodejs-shelljs: improper privilege management (CVE-2022-0144)

* follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)

Bug fix:

* RHACM 2.3.8 images (Bugzilla #2062316)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on how to upgrade your cluster and fully apply this
asynchronous
errata update:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2062316 - RHACM 2.3.8 images

5. References:

https://access.redhat.com/security/cve/CVE-2021-0920
https://access.redhat.com/security/cve/CVE-2021-3999
https://access.redhat.com/security/cve/CVE-2021-4154
https://access.redhat.com/security/cve/CVE-2021-23177
https://access.redhat.com/security/cve/CVE-2021-23566
https://access.redhat.com/security/cve/CVE-2021-31566
https://access.redhat.com/security/cve/CVE-2021-45960
https://access.redhat.com/security/cve/CVE-2021-46143
https://access.redhat.com/security/cve/CVE-2022-0144
https://access.redhat.com/security/cve/CVE-2022-0155
https://access.redhat.com/security/cve/CVE-2022-0235
https://access.redhat.com/security/cve/CVE-2022-0261
https://access.redhat.com/security/cve/CVE-2022-0318
https://access.redhat.com/security/cve/CVE-2022-0330
https://access.redhat.com/security/cve/CVE-2022-0359
https://access.redhat.com/security/cve/CVE-2022-0361
https://access.redhat.com/security/cve/CVE-2022-0392
https://access.redhat.com/security/cve/CVE-2022-0413
https://access.redhat.com/security/cve/CVE-2022-0435
https://access.redhat.com/security/cve/CVE-2022-0492
https://access.redhat.com/security/cve/CVE-2022-0516
https://access.redhat.com/security/cve/CVE-2022-0536
https://access.redhat.com/security/cve/CVE-2022-0847
https://access.redhat.com/security/cve/CVE-2022-22822
https://access.redhat.com/security/cve/CVE-2022-22823
https://access.redhat.com/security/cve/CVE-2022-22824
https://access.redhat.com/security/cve/CVE-2022-22825
https://access.redhat.com/security/cve/CVE-2022-22826
https://access.redhat.com/security/cve/CVE-2022-22827
https://access.redhat.com/security/cve/CVE-2022-22942
https://access.redhat.com/security/cve/CVE-2022-23218
https://access.redhat.com/security/cve/CVE-2022-23219
https://access.redhat.com/security/cve/CVE-2022-23308
https://access.redhat.com/security/cve/CVE-2022-23852
https://access.redhat.com/security/cve/CVE-2022-25235
https://access.redhat.com/security/cve/CVE-2022-25236
https://access.redhat.com/security/cve/CVE-2022-25315
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/index
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html-single/install/index#installing

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYkIo2dzjgjWX9erEAQhzdRAApzusRXUC+F2IeIQYZGDmY0HErMJjF6P8
NqLzhtVqzqrZB++i3JbWHcGR2SPKAPfyDrPBDYUH8l/BRVdjta5a50D6TX+D5nxl
CQLiApm2/m67F8hRHZCVL8CdorXUiV15lacbUMdfpuEKL6xuKM7bafBLBqUojdyA
T/hYI6se1bcO848DFW3lIft8wsQhvkxdJB4MUx73DhaTU6OpOb1rbokEOsGMEf7r
rAHsEqsa0HXELBGnYrOfo9iBqXxCdbRHzqfHnsjIFegq6mTabjWi6q+95KFOmT5s
z5mym/smRxFlchAjNonna4MiJCX4ko0wBdL5Dis7ZbjEF+f92TLaHElBczvKB695
hMK8ujF7/p+mHl44PSyQw3uDzIAqGH3aZJBUggeJ1ECueUu/FdRNbsQW7L8OX0i6
Aryhgxi2TS7MgfUPQJ1gz2oPa9wZHGtibczYuOIGFTTLNG/5+oZRfgxqn8kTQWhR
1lTGMAHbkrW2++5ZCbksrGVJZXxQWwaKq9HpofAzlAngTEBo2Xf1BCKN05/ZWZmO
0PopgYCzlWkZVnCSbXAyFnYg1lm5BgHA9PKEG+w1+6klG6YN1T2EPlPFQrDNfoka
K7ieQGJGafmME/Rd70Sz1F1NW+tkDgvRjQ60A59fIDmN99tDzpQEp/DkUgFwXGzZ
Frbe7GnlRyc=
=hLEP
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce