-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.6.5 security updates and bug fixes
Advisory ID:       RHSA-2023:2083-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2083
Issue date:        2023-05-02
CVE Names:         CVE-2020-10735 CVE-2021-28861 CVE-2022-3841 
                   CVE-2022-4269 CVE-2022-4304 CVE-2022-4378 
                   CVE-2022-4415 CVE-2022-4450 CVE-2022-25881 
                   CVE-2022-40897 CVE-2022-45061 CVE-2022-48303 
                   CVE-2023-0215 CVE-2023-0266 CVE-2023-0286 
                   CVE-2023-0361 CVE-2023-0386 CVE-2023-23916 
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General
Availability release images, which fix bugs and security updates container
images.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.6.5 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/

Security fix(es):
* CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service
(ReDoS) vulnerability
* CVE-2022-3841 RHACM: unauthenticated SSRF in console API endpoint

Jira issues addressed:
* ACM-3516: ACM 2.6.5 images

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation for details on how to install the images:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/install/installing#installing-while-connected-online

4. Bugs fixed (https://bugzilla.redhat.com/):

2139426 - CVE-2022-3841 RHACM: unauthenticated SSRF in console API endpoint
2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability

5. JIRA issues fixed (https://issues.jboss.org/):

ACM-3516 - ACM 2.6.5 Images

6. References:

https://access.redhat.com/security/cve/CVE-2020-10735
https://access.redhat.com/security/cve/CVE-2021-28861
https://access.redhat.com/security/cve/CVE-2022-3841
https://access.redhat.com/security/cve/CVE-2022-4269
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4378
https://access.redhat.com/security/cve/CVE-2022-4415
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-25881
https://access.redhat.com/security/cve/CVE-2022-40897
https://access.redhat.com/security/cve/CVE-2022-45061
https://access.redhat.com/security/cve/CVE-2022-48303
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0266
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0386
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZFFOn9zjgjWX9erEAQj+jQ//SEjgQpVdMTwbzqrKnwWrIuGaZpgduNIV
KWh4YtsCRxkPOdEw2JXDu1ApTJjCrAmd4VCPmsKdYfsWqeIrLlTgOxjL8P31uoSG
B6wP2CDYC93KD0ucier97XWAMpM8MToFJqD7aKRwZaJRUeR7hySx/5mS5BqLsyay
Bm0sc4Fo6W7qjTPp9/NKQhx/f1zkR3dpXit+Y9BfhPZMJan4BksEHx4j4qFv3J+g
GN+KNQb3wu1GvOQB6dt8VEeCZaLUf3iiCAOLaYLjUnj4SH4qpeMYb7Fslc4nbRuQ
KtuBzvL5a3FN6XcQ6bfanU+WHchn2qmHCB7oocdDY3kPjUOqiUdU5NDE9ix7eHCh
MeBADYXfYo65BnRFGqBer7y6YcNEFO4S0mJOWcACcfBeOVt3NcN+wruWCWO8Wagm
Fi6XQmop+uRFZlUeYtOXdDTtifZuZW9+fpzTCddZMK9oAmc4n4J0WSmpuaE0k9YW
gJ6Gi0gsq/B68l3XblYpXg+kORJpIt5aFAbrirM7pUk3KdxI+lHA9S9UVxZR1v1g
13tHm9rcFeX0y4JGY47SPiOYIruE9MS1/6UTK4ceqIHmfO6+ghDEwzyI9dui1hCu
YnxE0t3ppVL3DT1tlonLs+hRNssByTtvcAbxej50s4mj9Hpr+Ar3wsd1+gEH93pJ
bqaQqtqDjvM=
=g85t
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce