-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Multicluster Engine for Kubernetes 2.2.7 security updates and bug fixes Advisory ID: RHSA-2023:4650-01 Product: multicluster engine for Kubernetes Advisory URL: https://access.redhat.com/errata/RHSA-2023:4650 Issue date: 2023-08-14 CVE Names: CVE-2020-24736 CVE-2023-1667 CVE-2023-2283 CVE-2023-2602 CVE-2023-2603 CVE-2023-2828 CVE-2023-3089 CVE-2023-27536 CVE-2023-28321 CVE-2023-28484 CVE-2023-29469 CVE-2023-32681 CVE-2023-34969 CVE-2023-37903 CVE-2023-38408 ===================================================================== 1. Summary: Multicluster Engine for Kubernetes 2.2.7 General Availability release images, which provide security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Multicluster Engine for Kubernetes 2.2.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Security fix(es): * CVE-2023-3089 openshift: OCP & FIPS mode * CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code 3. Solution: For information and instructions for these updates, see the following article: https://access.redhat.com/solutions/7022540. For multicluster engine for Kubernetes, see the following documentation for details on how to install the images: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce 4. Bugs fixed (https://bugzilla.redhat.com/): 2212085 - CVE-2023-3089 openshift: OCP & FIPS mode 2224969 - CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code 5. References: https://access.redhat.com/security/cve/CVE-2020-24736 https://access.redhat.com/security/cve/CVE-2023-1667 https://access.redhat.com/security/cve/CVE-2023-2283 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-2828 https://access.redhat.com/security/cve/CVE-2023-3089 https://access.redhat.com/security/cve/CVE-2023-27536 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/cve/CVE-2023-32681 https://access.redhat.com/security/cve/CVE-2023-34969 https://access.redhat.com/security/cve/CVE-2023-37903 https://access.redhat.com/security/cve/CVE-2023-38408 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/security/vulnerabilities/RHSB-2023-001 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk2oyOAAoJENzjgjWX9erES9IP/ia7OvrxHKrr9Y/vEtjWONNe FuAcQnXYC+Z353sjLypA9aPb92zLkk6gdDlAASl5jJyJSCu8ArnDJbbuEsLTuDB4 7hpgyy+IE/0U1fCy4TaF87kRBjPHfPbyrlEJe2lpTJFFqPNxUXbDN1SMRB162cAN ZVdhxbRbNKIo4B+dwmHG6S71qOlYYeD0ju9aRDQhFGlGKEj5JYFc2meFNdkE/07x ah575UrYN2jtC0fepWPUny9EDotEtuYGAKyE7M5O+gHdNu5aBCCiizjcjZRgfX6a FRRYuVrvE7qKjs6Z7/XAlUta1ut/LVUE0H+yAM8wLnLe0KcFVXgSeCe5+BX2IdrY wtQ81kQqimqCuqugNNhILTJZvYfie6rxPsozJEycKwsAyHMzEnEJCToIdnroClX0 JzbZ9pypxzBRRxfe862GrXJ592rbsJJQFGNQgoOB+tsiOmbBQCDAOnCq3ZLIaBx8 NsBxcshlDlI7MnDgJz2+tN+nnMWK88tuR+4zI8iOqZlxxMQQshxJchTs+3ZckNwR 84rffOay80r6VwsUU4+p099CaNj3pI8VzzkLSQn7dZAOuK+L1NEc8TyAEAOHAMNi lm/gDUy469tnGFHuJFi23ZAbyCLk5NTBLa0OvzqkuLQ4NqWzgI/n1YID9NxGISsY Ne55NzOKyUQAul8Ktg5F =Uuh2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce