Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:5206: Red Hat Security Advisory: RHACS 4.2 enhancement and security update

Updated images are now available for Red Hat Advanced Cluster Security (RHACS). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-4958: In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user’s account permissions to perform other actions.
Red Hat Security Data
#sql#vulnerability#web#linux#red_hat#nodejs#js#kubernetes#aws#ibm#postgres

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-09-18

Updated:

2023-09-18

RHSA-2023:5206 - Security Advisory

  • Overview
  • Updated Images

Synopsis

Moderate: RHACS 4.2 enhancement and security update

Type/Severity

Security Advisory: Moderate

Topic

Updated images are now available for Red Hat Advanced Cluster Security (RHACS).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The release of RHACS 4.2 provides these changes:

Security Fix(es):

  • stackrox: Missing HTTP security headers allows for clickjacking in web UI (CVE-2023-4958)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

New Features

RHACS 4.2 includes the following new features, improvements, and updates:

Platform

  • Bring your own PostgreSQL database for RHACS Central (Technology Preview)
  • The CORE BPF collection method is now GA
  • RHACS Product usage report
  • Performance improvements for the Compliance dashboard

Vulnerability management

  • Vulnerability scanning support for Registry Mirrors in OpenShift Container Platform
  • Configure delegated image scanning in the RHACS portal
  • Define new system policies using CVE age or fixability
  • On-demand and downloadable CVE report in Vulnerability Management 2.0
  • Scanner supports additional operating systems

Network Security

  • Improvements to runtime network policy generation
  • Build time Network Policy tools (Technology Preview)
  • New Listening Endpoints menu in the RHACS portal
  • Viewing network policy YAML files from a violation

For notable technical changes, deprecated and removed features, and bug fixes, see the Release Notes.

Solution

To take advantage of the new features, bug fixes, and enhancements in RHACS 4.2, you are advised to upgrade to RHACS 4.2.

Affected Products

  • Red Hat Advanced Cluster Security for Kubernetes 4 x86_64
  • Red Hat Advanced Cluster Security for Kubernetes for IBM Z and LinuxONE 4 s390x
  • Red Hat Advanced Cluster Security for Kubernetes for IBM Power, little endian 4 ppc64le

Fixes

  • BZ - 1990363 - CVE-2023-4958 stackrox: Missing HTTP security headers allows for clickjacking in web UI
  • ROX-19688 - Release RHACS 4.2.0

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • https://docs.openshift.com/acs/4.2/release_notes/42-release-notes.html

ppc64le

advanced-cluster-security/rhacs-central-db-rhel8@sha256:a6f0560462f70d081ecd633dab7fe3812a9a05ede057dcfc85c78aebcbfcf7fb

advanced-cluster-security/rhacs-collector-rhel8@sha256:daec224b2d21db1d0f896c376bc57896f3d322699ea860c9af3daeb0fdf60c26

advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:99cea72009375b9fe0d351d2dc74d0b08f303daf8fd3d054f34301b2a7b9874e

advanced-cluster-security/rhacs-main-rhel8@sha256:e6cd211b07ec198e643043636bc43e32128a99a455594986f54d01f909eb97e1

advanced-cluster-security/rhacs-operator-bundle@sha256:e2262de639260486a1942d9c7a8be075a96888519c65b0ccd41f1360978300ac

advanced-cluster-security/rhacs-rhel8-operator@sha256:fa7fd49bfc458b712c26f122e22520e685b036dcf65c204f7b6385cd53cdc9b3

advanced-cluster-security/rhacs-roxctl-rhel8@sha256:b3faa186bd4e7d7949314abb298b67fec93eba13c9028b2d597141f3ecfadaa8

advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:0a8010cccaa062270ae1c2214a46ebedbf9dd55caa848d2063ade69eed1cefcf

advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:0bd96c2875a801820c1a042b854c903b7ff7f577f286d1b42688d084f4ac369b

advanced-cluster-security/rhacs-scanner-rhel8@sha256:491b67f1b2930996a975fe3b4088020538c78db6f3060447699795a30e74b54b

advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:df0d1098be46a3b4ab9374a3eff318410a955f014961b08ecaf416e9535f005a

s390x

advanced-cluster-security/rhacs-central-db-rhel8@sha256:655da98b70cce7d0d8eda8c8d13d13e4abb56d240a7dcc86c9a1ecf74524095f

advanced-cluster-security/rhacs-collector-rhel8@sha256:7d6b22c16ffc10dbe11d5d783e1c7efa7f39de054a3a2332c807bdf63bcd1c71

advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7cd77dd8ba37e7df2802ef44bda69e4305631729c981a673a0a31433f4d05663

advanced-cluster-security/rhacs-main-rhel8@sha256:64bef5c27321ed50c11018b32ae4d5de3490ad744a0f08e8e724432c75ffa775

advanced-cluster-security/rhacs-operator-bundle@sha256:85b9f7b20c8ad9552c30f6aaf772ceb5342bcf6ea90ea997eb614212fa57ed58

advanced-cluster-security/rhacs-rhel8-operator@sha256:d80fafb9e7fcd0fa9e4103ae929cfa9dc8b91851b50d17d377d8fbdf2dd0884f

advanced-cluster-security/rhacs-roxctl-rhel8@sha256:c0cad154a2b2b90bf1ad022bfbc1edaee1d0d3ebbae99c296afbc4e423d49adc

advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:6c9a79f505c45e604b51ce9d29a7472e23da6f33011635afcac5dc96d3c8a413

advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:bc4c81fc092d4bffca4742030a197b79bc80565dc4d677d7344a7d91e592e735

advanced-cluster-security/rhacs-scanner-rhel8@sha256:d4efaf6561a45aa575870b3aefcc72838618ff411fdf4d8b6c23c92598400f44

advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:e9327bd5ebfcec5ec7c76d6e47be8dfe5fc48913859a36bb9d9ddafbc11b53fe

x86_64

advanced-cluster-security/rhacs-central-db-rhel8@sha256:d53ebe7252d7414e0dc756d48d806504993d43f8c3de2eebed0e1f74749cd2de

advanced-cluster-security/rhacs-collector-rhel8@sha256:11ba7bb24a938e34ca077b77730cd1524dee6d81157b7309b0725bde1dc1a658

advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:8844ee1cf02d8038e8b156bc856f3f6bbe1cdca160ec79f30da39ef826d897f2

advanced-cluster-security/rhacs-main-rhel8@sha256:301a89cdc5a6aa6cc807851082a0ed58580547098c8fe35e000fe54ecbefcd1e

advanced-cluster-security/rhacs-operator-bundle@sha256:de3b2e28150c6428864fe8dd7ef325b806bc9e9881d883ba3335e00b6593618c

advanced-cluster-security/rhacs-rhel8-operator@sha256:696ef8ccb59d3f34a640ffdc18b089680a2a28189b388450080454865ce5b12e

advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61efe4f465be5ac4c3ddf6a5c452d5dc7d250b8a842ec36b7cf44272de146e15

advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:4f5bc6377f8b81ca0f0bebfd4cafdc7d17029e702861f7159a38bccc3e7a21c3

advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:1971e8fe13c51e6be8dd497b8ca99c8282425a6cd9735771ab6fd39a11616086

advanced-cluster-security/rhacs-scanner-rhel8@sha256:756151367af2d9ee8ba0ad7537c17841f800c2828f440baa6d73b5a071d29638

advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:97e5a3c6af61067119e6b6d7fd46b64569f06e311c21596af430e648b237b59b

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

CVE-2023-4958

In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.