Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:8827: Red Hat Security Advisory: RHACS 3.73 enhancement and security update

Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-24778: imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
  • CVE-2022-36056: app-containers/cosign: false positive verification
Red Hat Security Data
#sql#vulnerability#red_hat#kubernetes#pdf#asus#auth#postgres

Issued:

2022-12-06

Updated:

2022-12-06

RHSA-2022:8827 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: RHACS 3.73 enhancement and security update

Type/Severity

Security Advisory: Low

Topic

Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Release of RHACS 3.73 provides these changes:

New features:

  • Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.
  • Improved Vulnerability Management dashboard for ACSCS users.
  • PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.
  • A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.

Notable technical changes:

  • RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
  • Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)
  • The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.
  • The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.

Notice of in-product docs removal:

  • Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)

Bug fixes:

  • Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)
  • Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)

Security Fix(es):

  • imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)
  • app-containers/cosign: false positive verification (CVE-2022-36056)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.

Affected Products

  • Red Hat Advanced Cluster Security for Kubernetes 3 x86_64

Fixes

  • BZ - 2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
  • BZ - 2128820 - CVE-2022-36056 app-containers/cosign: false positive verification
  • ROX-13687 - Release RHACS 3.73.0

References

  • https://access.redhat.com/security/updates/classification/#low
  • https://docs.openshift.com/acs/3.73/release_notes/373-release-notes.html

Red Hat Advanced Cluster Security for Kubernetes 3

SRPM

x86_64

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Ubuntu Security Notice USN-5776-1

Ubuntu Security Notice 5776-1 - It was discovered that containerd incorrectly handled memory when receiving certain faulty Exec or ExecSync commands. A remote attacker could possibly use this issue to cause a denial of service or crash containerd. It was discovered that containerd incorrectly set up inheritable file capabilities. An attacker could possibly use this issue to escalate privileges inside a container. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

Red Hat Security Advisory 2022-8827-01

Red Hat Security Advisory 2022-8827-01 - Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.

GHSA-8gw7-4j42-w388: Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature

## Summary A number of vulnerabilities have been found in `cosign verify-blob`, where Cosign would successfully verify an artifact when verification should have failed. ## Vulnerability 1: Bundle mismatch causes invalid verification. ### Summary A cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. ### Details Cosign supports "bundles" which intend to allow offline verification of the signature and rekor inclusion. By using the --bundle flag in cosign sign-blob, cosign will create a JSON file called a "bundle". These bundles include three fields: base64Signature, cert, and rekorBundle. The desired behavior is that the verification of these bundles would: - verify the provided blob using the included signature and certificate - verify the rekorBundle SET - verify the rekorBundle payload references the given artifact. It appears that step three is not being performed, allowing "any old rekorBundle" to p...

CVE-2022-36056: Merge pull request from GHSA-8gw7-4j42-w388 · sigstore/cosign@80b79ed

Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.

Red Hat Security Advisory 2022-4956-01

Red Hat Security Advisory 2022-4956-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs and security issues. Issues addressed include privilege escalation and traversal vulnerabilities.

RHSA-2022:4956: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.0 is now generally available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-43565: golang.org/x/crypto: empty plaintext packet causes panic * CVE-2021-43816: containerd: Unprivileged pod may bind mount any privileged regular file on disk * CVE-2021-43858: minio: user priv...

CVE-2022-24778: Release imgcrypt 1.1.4 · containerd/imgcrypt

The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other archite...