Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-6427-01

Red Hat Security Advisory 2022-6427-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.1 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Packet Storm
#vulnerability#red_hat#js#kubernetes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: Red Hat Advanced Cluster Management 2.6.1 security fix and bug fix
Advisory ID: RHSA-2022:6427-01
Product: Red Hat ACM
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6427
Issue date: 2022-09-12
CVE Names: CVE-2022-36067
=====================================================================

  1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.6.1 release images,
which provide security fixes, bug fixes, and update container images.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.6.1 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs. See the following
Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/

Security fix:

  • vm2: Sandbox Escape in vm2 (CVE-2022-36067)

Bug fix:

  • RHACM 2.6.1 image files (BZ# 2125064)
  1. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on installing this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing

  1. Bugs fixed (https://bugzilla.redhat.com/):

2124794 - CVE-2022-36067 vm2: Sandbox Escape in vm2
2125064 - RHACM 2.6.1 images

  1. References:

https://access.redhat.com/security/cve/CVE-2022-36067
https://access.redhat.com/security/updates/classification/#critical

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYx/ZBtzjgjWX9erEAQg/xg/+PIqsLUYrUFG5matgYWa0rp2wZMbwP1NG
AfuDAwz5ofgV5hZHO/mkhpOBwqV+0EPDOmnbxZq2XX3VWpOCLFxoS/q9+iQLKRwF
kHZxyd6G+OzsPbBL0PZqI4CfQ9EmYLRYOb/SFvWvEXauGt7dz35lA+vRxzPewTfL
GCWtubrfqew/n77fm5hZNodZbLjLEt7O3Zx+xBsm8oge+ahNFkwPDlmkKqFzJPdC
i9W1BYd70Pks+Z8wk6Nw5RUvRC5g5Nw4OdS9fcrvgvro+K5RaCbd2udzWWCUux4t
1myDsrunvKYA7KI3O+4KjM3kBZSc0/9aW5iMWNyaWR00vEDZIHqR+9HZCOL688uJ
yTNXuKCpQfLEaF0sOekhJtDiAyhxMlsR+7oRirj+RTRRSyKOSEiEeX+l6SS1Kq30
KxvsmV97gsxObgJzC+KlNibYIIuYq8af5horKFpdR81ne7dV0T5rvCVAM0Fs+LKr
mJCzgXZ0s/Fvw+KgZLYOPuMD7cvhNpC0UwVqfMZEvcFunqfFjmZmJr/jS+0Zfu70
xUkSUXaekDNmFplBvFvnZqA6OQGRIzed3YQ4iyMS4UmvYowRNkn44pk34i2K7gZB
JwSO8EEVuley/o/jkR12JD4pq3OyXtCXxALT1MlYfbvc8seLhZFR3AFm6Ldp5cVN
16pfxnhvl/w=
=K+Ym
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on

Critical RCE Flaw Reported in Spotify's Backstage Software Catalog and Developer Platform

Spotify's Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module. The vulnerability (CVSS score: 9.8), at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library (CVE-2022-36067 aka Sandbreak), that came to light last

Critical Open Source vm2 Sandbox Escape Bug Affects Millions

Attackers could exploit the "Sandbreak" security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," GitHub said in an advisory published on September 28, 2022. The

GHSA-mrgp-mrhc-5jrq: vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host

### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.11` of `vm2` ### Workarounds None. ### References Github Issue - https://github.com/patriksimek/vm2/issues/467 The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164 ### For more information If you have any questions or comments about this advisory: * Open an issue in [VM2](https://github.com/patriksimek/vm2)

Red Hat Security Advisory 2022-6696-01

Red Hat Security Advisory 2022-6696-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include crlf injection and denial of service vulnerabilities.

RHSA-2022:6696: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.4.6 security update and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-31150: nodejs16: CRLF injection in node-undici * CVE-2022-31151: nodejs/undici: Cookie headers uncleared on cross-origin redirect * CV...

Red Hat Security Advisory 2022-6507-01

Red Hat Security Advisory 2022-6507-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.

RHSA-2022:6507: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5.2 security fixes and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.2 General Availability release images, which fix security issues and bugs. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-36067: vm2: Sandbox Escape in vm2

Red Hat Security Advisory 2022-6422-01

Red Hat Security Advisory 2022-6422-01 - Multicluster Engine for Kubernetes 2.0.2 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6426-01

Red Hat Security Advisory 2022-6426-01 - Multicluster Engine for Kubernetes 2.1.1 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

RHSA-2022:6427: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.1 security fix and bug fix

Red Hat Advanced Cluster Management for Kubernetes 2.6.1 release images, which provide security fixes, bug fixes, and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36067: vm2: Sandbox Escape in vm2

RHSA-2022:6424: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.1 security update and bug fixes

Multicluster Engine for Kubernetes 2.1.1 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36067: vm2: Sandbox Escape in vm2

RHSA-2022:6422: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.2 security and bug fixes

Multicluster Engine for Kubernetes 2.0.2 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-36067: vm2: Sandbox Escape in vm2

CVE-2022-36067: Fix 467 · patriksimek/vm2@d9a7f3c

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13