Red Hat Security Advisory 2024-0722-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0722.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of Quarkus 3.2.10 release and security update  
Advisory ID:        RHSA-2024:0722-03  
Product:            Red Hat build of Quarkus  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0722  
Issue date:         2024-03-18  
Revision:           03  
CVE Names:          CVE-2023-4043  
====================================================================

Summary: 

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a  
detailed severity rating, is available for each vulnerability. For more  
information, see the CVE links in the References section.

Description:

This release of Red Hat build of Quarkus 3.2.10 includes security updates,  
bug fixes, and enhancements. For more information, see the release notes page  
listed in the References section.

Security Fix(es):

* CVE-2023-22102 mysql/mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2023) [quarkus-3.2]

* CVE-2023-48795 org.apache.sshd/sshd-core: ssh: Prefix truncation attack on Binary Packet Protocol (BPP) [quarkus-3.2]

* CVE-2023-4043 org.eclipse.parsson/parsson: Denial of Service due to large number parsing [quarkus-3.2]

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4043

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.2/  
https://access.redhat.com/articles/4966181  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2254594  
https://bugzilla.redhat.com/show_bug.cgi?id=2256474  
https://issues.redhat.com/browse/QUARKUS-3791  
https://issues.redhat.com/browse/QUARKUS-3851  
https://issues.redhat.com/browse/QUARKUS-3938  
https://issues.redhat.com/browse/QUARKUS-3939  
https://issues.redhat.com/browse/QUARKUS-3940  
https://issues.redhat.com/browse/QUARKUS-3941  
https://issues.redhat.com/browse/QUARKUS-3942  
https://issues.redhat.com/browse/QUARKUS-3943  
https://issues.redhat.com/browse/QUARKUS-3944  
https://issues.redhat.com/browse/QUARKUS-3945  
https://issues.redhat.com/browse/QUARKUS-3946  
https://issues.redhat.com/browse/QUARKUS-3947  
https://issues.redhat.com/browse/QUARKUS-3948  
https://issues.redhat.com/browse/QUARKUS-3949  
https://issues.redhat.com/browse/QUARKUS-3950  
https://issues.redhat.com/browse/QUARKUS-3951  
https://issues.redhat.com/browse/QUARKUS-3952  
https://issues.redhat.com/browse/QUARKUS-3953  
https://issues.redhat.com/browse/QUARKUS-3954  
https://issues.redhat.com/browse/QUARKUS-3955  
https://issues.redhat.com/browse/QUARKUS-3956  
https://issues.redhat.com/browse/QUARKUS-3957  
https://issues.redhat.com/browse/QUARKUS-3958  
https://issues.redhat.com/browse/QUARKUS-3959  
https://issues.redhat.com/browse/QUARKUS-3960  
https://issues.redhat.com/browse/QUARKUS-3961  
https://issues.redhat.com/browse/QUARKUS-3963  
https://issues.redhat.com/browse/QUARKUS-3964

Red Hat Security Advisory 2024-0722-03

We are pleased to announce the release of Red Hat OpenShift Service Mesh 2.5. OpenShift Service Mesh is based on the Istio and Kiali projects, and is included as part of all subscription levels of Red Hat OpenShift. OpenShift Service Mesh 2.5 updates the underlying version of Istio to 1.18 and Kiali to 1.73.This release includes updates from Istio 1.17 and 1.18 including subsequent patch releases up to Istio 1.18.7. Most notably, this includes support for Certificate Revocation Lists for external traffic, “developer preview” support for dual-stack IPv4/IPv6, and updates to Gateway API. Thi

We are pleased to announce the release of **Red Hat OpenShift Service Mesh 2.5**. OpenShift Service Mesh is based on the Istio and Kiali projects, and is included as part of all subscription levels of Red Hat OpenShift. OpenShift Service Mesh 2.5 updates the underlying version of Istio to 1.18 and Kiali to 1.73.

This release includes updates from Istio 1.17 and 1.18 including subsequent patch releases up to Istio 1.18.7. Most notably, this includes support for Certificate Revocation Lists for external traffic, “developer preview” support for dual-stack IPv4/IPv6, and updates to Gateway API. This release also includes the general availability of the OpenShift Service Mesh Console plugin, which is now installed with the Kiali operator as well as updates to support the next generation of OpenShift Distributed Tracing based on Tempo.

****Service Mesh on Arm is generally available****

This release makes support for OpenShift Service Mesh on OpenShift clusters based on ArmTM architecture generally available. This includes Kiali and distributed tracing with Jaeger. Red Hat OpenShift aims to give our customers the choice to run applications on the most appropriate infrastructure, so we are pleased to extend support for OpenShift Service Mesh to Arm. 

****Certificate revocation lists for external traffic****

OpenShift Service Mesh supports mutual TLS (mTLS) authentication for services communicating outside of the mesh. Depending on the use case, this can be setup by configuring credentials with an Ingress Gateway for services exposed to external traffic, a ServiceEntry for individual services to originate mTLS or an Egress Gateway for a gateway to originate mTLS. This release introduces the ability to revoke credentials using Certificate Revocation Lists (CRLs) for the above use cases and Online Certificate Status Protocol (OCSP) stapling for an Ingress Gateway. See the Ingress Gateway, Egress TLS Origination and Egress Gateway documentation for more details.

****OpenShift Service Mesh Console plugin is generally available****

OpenShift Service Mesh 2.3 introduced the OpenShift Service Mesh Console to bring Kiali’s topology view and other service mesh information into the OpenShift console. This adds a “Service Mesh” menu and introduces metrics and topology information into the workload and service menus. This provides a unified experience for managing services in Red Hat OpenShift with the benefit of information obtained from service mesh. 

OpenShift Service Mesh Console - Graph View

When the OpenShift Service Mesh Console was introduced, it was installed with a separate operator. Now that it is generally available, it has been integrated into the Kiali operator, and can be installed using the OSSMConsole custom resource definition (CRD).

Note that this plugin only supports pulling information from a single Kiali instance at this time. If multiple Kiali instances are present within a cluster (for example, to support multiple service mesh instances), the serviceNamespace configuration value can be used to specify which service mesh the console plugin will use.

****Distributed tracing updates****

The ability to automatically enable mesh-wide distributed tracing is a core feature of OpenShift Service Mesh. Tracing provides the ability to observe requests as they flow through a system of multiple services. This is critical for identifying bottlenecks, understanding system behavior and providing a more consistent experience to application consumers.

To date, tracing has been provided by the Jaeger and Elasticsearch components. While these have been incredibly reliable, we have heard from customers that they desire greater flexibility as well as support for greater scale, performance and more cost-effective solutions.

With this in mind, Red Hat OpenShift distributed tracing 3.0 was recently made generally available. This major update introduces a new architecture and new components for distributed tracing that OpenShift Service Mesh users should plan to migrate to.

****OpenTelemetry and Tempo components****

Two components make up the new distributed tracing architecture:

*   Red Hat build of OpenTelemetry - a vendor-agnostic way of retrieving, processing and exporting telemetry data (not limited to tracing).
*   Red Hat OpenShift distributed tracing platform (Tempo) - a component based on the Grafana Tempo project for ingesting tracing data via common protocols including Jaeger, Zipkin, and OpenTelemetry. For data persistence, Tempo can be configured to use a variety of object storage providers.

****New observability extension providers****

To enable integration with the above components and to provide additional integrations with OpenShift Service Mesh, we have added support for the “zipkin”, “opentelemetry” and “envoyOtelAls” Istio extension providers. These can now be configured using the “meshConfig.extensionProviders” setting in the “ServiceMeshControlPlane” CRD.

****Kiali and Tempo****

Kiali in OpenShift Service Mesh 2.5 includes support for integrating with Tempo by using the Jaeger API. This is configured in Tempo using the “jaegerQuery” setting in the TempoStack CRD and from Kiali using the “in\_cluster\_url” setting in the Kiali CRD. For more details, see the OpenShift Service Mesh 2.5 release notes.

****Elasticsearch and Jaeger deprecation****

With the introduction of the OpenTelemetry and Tempo based distributed tracing architecture, the Jaeger based distributed tracing platform operator and Elasticsearch operator have been deprecated and will be removed in a future release. While they will continue to be supported as part of their release lifecycles and as integrations with OpenShift Service Mesh, they will no longer receive further enhancements.

****Configuring distributed tracing and service mesh****

While by default OpenShift Service Mesh configures distributed tracing through the ServiceMeshControlPlane CRD, for production, we recommend that customers configure tracing using a separate Jaeger custom resource or the new Tempo operator. In addition to providing greater flexibility of configuration, this will better prepare users to migrate to both OpenShift Distributed Tracing 3 and OpenShift Service Mesh 3.

****Where to start with Service Mesh and Tempo?****

See the OpenShift Service Mesh 2.5 release notes and the “Metrics, logs, and tracing” section of the documentation for more information on using Tempo and the OpenTelemetry collector with Service Mesh.  

****Automatic route creation****

As communicated in our previous release, the automatic route creation feature (which uses a component called Istio OpenShift Routing - or IOR) has been deprecated and will be removed from OpenShift Service Mesh 3. Though this is a convenience feature for configuring gateways with service mesh, it has been our experience that explicitly creating and managing OpenShift routes provides a more transparent and robust production configuration - particularly across upgrades.

This release makes this feature disabled by default. This will not impact existing OpenShift Service Mesh users who were using the feature, as it will continue to be enabled post upgrade.

Users are encouraged to disable this feature and to manage OpenShift route resources for their Gateways independent of Service Mesh, as in addition to providing greater flexibility and control, it will simplify the future migration to OpenShift Service Mesh 3. This change is best made in conjunction with moving to gateway injection for managing all Istio gateways with applications rather than the ServiceMeshControlPlane, which manages gateways with the control plane. Gateway injection along with Gateway API will be the recommended ways to create and manage Gateways in OpenShift Service Mesh 3 and beyond.

****Kiali updates****

Kiali in dark mode theme

OpenShift Service Mesh 2.5 brings additional updates with Kiali 1.73, including:

*   Use of Istio’s Discovery Selectors - Kiali will now take into account Istio’s discovery selectors when deciding which namespaces to display for the user. For more information, see Kiali’s namespace management documentation.
*   Dark mode theme - Kiali now supports a dark mode theme similar to OpenShift Console’s dark mode, which also applies to the OpenShift Service Mesh Console plugin.
*   Clusterwide mode - For more efficient caching, the Kiali CRD includes a new setting “deployment.cluster\_wide\_access”, which when set to “true” will give cluster permissions to the Kiali server. When set to false, the operator creates a role for each namespace that is part of the mesh.
*   Kubernetes Gateway API management - Kiali now also includes the ability to manage multiple Gateway API implementations in parallel. This is done through the new “gateway\_api\_classes” in the Kiali custom resource definition (CRD). Users can then select the “Gateway Class” of their choosing when using the Kubernetes Gateway creation wizard.

For a full list of Kiali updates, see the project release notes.

****Gateway API updates****

OpenShift Service Mesh includes technology preview support for Kubernetes Gateway API resources with Istio. This release updates support for Kubernetes Gateway API, adding support for extra v1beta1 resources and updating the Gateway API version to 0.6.2. The release also includes updates to how Gateways (Kubernetes Gateways, not Istio Gateways) are automatically deployed. See more details on these changes here.

With Gateway API achieving general availability upstream and part of Istio 1.20 and beyond, we plan to make this feature generally available in the next minor release of OpenShift Service Mesh.

****IPv4 / IPv6 dual stack is developer preview****

This release introduces IPv4/IPv6 dual stack support as a developer preview feature, meaning that it is ready for development and experimentation. This was introduced as an experimental feature in Istio 1.17, with several updates since then to address bugs and remaining dual-stack gaps. The feature continues to evolve upstream as it progresses toward Alpha and beyond. As with all developer preview features, feedback is welcome so that we can help to incubate this feature toward general availability.  

****Kiali Backstage plugin is developer preview****

A service mesh does not stand on its own, but acts as a key infrastructure layer within a larger platform that will be made up of many different technologies. In addition to all of its security features and integrations, a service mesh is often an integral part of continuous integration/delivery (CI/CD) infrastructure and thus may drive one or more steps in the application delivery process.

The majority of our users are teams responsible for such platforms and processes. Their goals include making development teams happy and productive so that they can best support the business. It is with this group in mind that Red Hat has developed Red Hat Developer Hub, an enterprise grade offering based on the Backstage.io project. The Backstage project, contributed by Spotify, is an open source framework for building developer portals. Red Hat developed Project Janus, a community for building developer portals, built on Backstage.

To assist in building developer platforms with service mesh and Backstage, the team has recently contributed the Kiali plugin for Backstage. You can read more about using Kiali with the Red Hat developer hub in this blog. A demo of the plugin was provided at a Janus community meeting late last year.

****Istio ambient mesh update****

The Istio project introduced Istio ambient mesh as a sidecar-less Istio data plane implementation. While this is still under heavy development in the Istio community, it has the potential to significantly reduce the resource utilization required to operate a service mesh by shrinking the footprint of Istio by removing sidecars.

Though OpenShift Service Mesh 2.5 does not include support for Istio ambient mesh, the Istio community continues to evolve the design and implementation. Recently, the team at Solo.io contributed a notable architecture change regarding how traffic is redirected between workload pods and the ztunnel node proxy component. This enables ambient mesh to be compatible with the majority of Kubernetes Container Network Interface (CNI) plugins, including both OpenShift’s OVN-Kubernetes and SDN network plugins.

This change along with other Red Hat contributions has enabled our team to successfully validate Istio ambient mesh on OpenShift, confirming that initial support for Istio ambient mesh is planned for a future release of OpenShift Service Mesh. We have also contributed a new “openshift-ambient” profile, which will make testing ambient mesh on OpenShift easier beginning with Istio 1.22. In parallel, the Kiali team continues to add features in support of ambient mesh. Stay tuned for more on this topic, as we prepare to offer Istio ambient mesh as a developer preview feature with the Sail Operator and later in OpenShift Service Mesh 3!

****OpenShift Service Mesh 3 update****

In case you missed it, late last year we published a blog post update regarding the “Sail Operator”, which is a developer preview of OpenShift Service Mesh 3. This provides further updates on our progress on the next major release of OpenShift Service Mesh. We continue to develop this operator - including operator support for canary-style control plane upgrades. We will provide further updates in the coming months as we work toward a Technology Preview release of OpenShift Service Mesh 3. Watch the redhat.com blog for further updates.

Learn more about OpenShift Service Mesh

Introducing OpenShift Service Mesh 2.5

Red Hat Security Advisory 2024-1348-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1348.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:10 security updateAdvisory ID:        RHSA-2024:1348-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1348Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-1348-03

Red Hat Security Advisory 2024-1346-03 - An update is now available for Red Hat OpenShift GitOps 1.11. Issues addressed include a cross site scripting vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1346.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift GitOps security update  
Advisory ID:        RHSA-2024:1346-03  
Product:            Red Hat OpenShift GitOps  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1346  
Issue date:         2024-03-16  
Revision:           03  
CVE Names:          CVE-2024-28175  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift GitOps 1.11.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

Security Fix(es):

* Before this update, due to the improper filtering of URL protocols in the Argo CD application summary component, an attacker could achieve cross-site scripting with permission to edit the application. This update fixes the issue by upgrading the Argo CD version to v2.9.8 which has the fix applied and is therefore not vulnerable (CVE-2024-28175).

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-28175

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/gitops/1.11/understanding_openshift_gitops/about-redhat-openshift-gitops.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2268518

Red Hat Security Advisory 2024-1346-03

Red Hat Security Advisory 2024-1345-03 - An update is now available for Red Hat OpenShift GitOps 1.10. Issues addressed include a cross site scripting vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1345.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift GitOps security update  
Advisory ID:        RHSA-2024:1345-03  
Product:            Red Hat OpenShift GitOps  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1345  
Issue date:         2024-03-15  
Revision:           03  
CVE Names:          CVE-2024-28175  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift GitOps 1.10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

Security Fix(es):

* Before this update, due to the improper filtering of URL protocols in the Argo CD application summary component, an attacker could achieve cross-site scripting with permission to edit the application. This update fixes the issue by upgrading the Argo CD version to v2.8.12 which has the fix applied and is therefore not vulnerable (CVE-2024-28175)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-28175

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/gitops/1.10/understanding_openshift_gitops/about-redhat-openshift-gitops.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2268518

Red Hat Security Advisory 2024-1345-03

The Red Hat Advanced Cluster Security (RHACS) engineering team is excited to announce the pending release of the latest RHACS version, packed with brand-new features and updates. The team continues to build on the 4.0 major release and RHACS Cloud Service announcements last year with a feature-packed release to kick off 2024. The RHACS 4.4 release will focus on increased consistency of scan results, strengthened security posture management, and more automated security features to alleviate monotonous security tasks.Significant updates include:A new vulnerability scanner termed “Scanner V4”

The Red Hat Advanced Cluster Security (RHACS) engineering team is excited to announce the pending release of the latest RHACS version, packed with brand-new features and updates. The team continues to build on the 4.0 major release and RHACS Cloud Service announcements last year with a feature-packed release to kick off 2024. The RHACS 4.4 release will focus on increased consistency of scan results, strengthened security posture management, and more automated security features to alleviate monotonous security tasks.

Significant updates include:

*   A new vulnerability scanner termed “Scanner V4” utilizing upstream ClairCore, enabling consistent and more comprehensive vulnerability updates.
*   Compliance capabilities released in tech preview, with more to come in future releases.
*   CO-RE BPF becomes the default collection method for RHACS.
*   Cluster discovery by using cloud source integrations.
*   Bring your own database for Central database.
*   Build-time network policy tools.
*   Release life cycles have been extended to include a Full and Maintenance Support Phases. This change now extends the lifecycle of each ACS release to 10 months from previous six months life cycle.
*   RHACS support matrix outlines details on RHACS compatibility with OpenShift releases and supportability.

  
However, make sure to check out the many RHACS platform updates, such as:

*   Init-bundle graphical user interface improvements.
*   Support for RHACS on ROSA-hosted control plane.
*   Short-lived API tokens for Central.
*   Authenticating AWS and GCP integrations by using short-lived tokens (Tech Preview).
*   Operator life cycle updates.
*   Enhanced policy management roxctl deployment check command.

As always, you can find more information about the release in the RHACS documentation and release notes, and you can explore the newest version of RHACS through the 60-day, no-cost trial of RHACS Cloud Service.

**Introducing the unified ‘Vulnerability Scanner V4’**

We're thrilled to unveil the latest RHACS vulnerability management workflow update with the all-new RHACS ‘Scanner V4.’ This release marks a significant milestone as we integrate the finest features from the existing StackRox Scanner and the upstream Clair V4 Scanner from Red Hat Quay. Here's what you can expect from the new Scanner V4:

**Consistent and accurate scanning:** Reliable vulnerability scan results across the entire Red Hat product ecosystem, including RHACS and Red Hat Quay.

**Expanded language and operating system support:** We've listened to your feedback and expanded our support to include Golang in language vulnerability scanning. Additionally, we're proud to include Oracle Linux, SUSE Linux Enterprise, and Photon OS in our operating system scanning capabilities.

**Comprehensive vulnerability database source:** We've adopted OSV.dev as the primary source for all supported programming language packages to help deliver the most up-to-date vulnerability information.

It is important to note that all RHACS upgrades and new installations will use the StackRox Scanner by default. Still, you will now have the option to choose the new Vulnerability Scanner V4 instead of the default StackRox Scanner, which offers additional compatibility benefits and an extended scope.

For more information about enabling the RHACS Scanner V4, see:

*   “Scanner settings” in Installing RHACS on Red Hat OpenShift.
*   “Scanner V4” in Installing RHACS on other platforms.

**RHACS new compliance capabilities (Technology preview)**

The RHACS team is excited to announce the Compliance (2.0) launch as a Technology Preview feature in RHACS 4.4! As part of a larger compliance workflow initiative, RHACS users will have access to the latest updates and be able to give feedback about features they wish to see in the product.

With Compliance (2.0) in RHACS 4.4, users can expect the following:

*   A more seamless integration of Compliance Operator and RHACS for a unified experience. Configuration, scheduling, and execution of infrastructure scans directly from the RHACS interface.
*   Convenient access to OpenShift compliance operator scan results within RHACS for easy review and analysis.

We anticipate future releases to bring even more powerful capabilities, including:

*   Remediation of deficiencies and exporting scan results directly from the RHACS dashboard.
*   Creation of custom profiles tailored to specific compliance requirements.
*   Support for workload compliance, driving more comprehensive coverage across your environment.

For further details on the support scope of Red Hat Technology Preview features, please refer to the Technology Preview Features Support Scope documentation.

**CO-RE BPF becomes the default collection method for RHACS**

Starting with RHACS 4.4, the default runtime collection method is powered by eBPF CO-RE (Compile Once, Run Everywhere), offering compatibility across different kernel versions and providing smoother upgrades. This collection method was introduced in the RHACS 4.0 release, and unless explicitly configured otherwise, your cluster will seamlessly transition upon upgrading.

Discover more about the requirements for the CO-RE BPF collector in the RHACS documentation.

**Discover unprotected clusters with Paladin Cloud integration**

A standout feature of RHACS 4.4 is ease of integration with Red Hat OpenShift Cluster Manager and Paladin Cloud, enabling you to uncover new clusters that lack protection within your environment. With this integration, RHACS now offers a comprehensive list of clusters across your OpenShift environment and major cloud platforms, including Amazon Elastic Kubernetes Service (Amazon EKS), Google Kubernetes Engine (Google GKE), and Microsoft Azure Kubernetes Service (Microsoft AKS). Learn more about the tight integration of RHACS Cloud Service and Paladin Cloud in this joint blog post.

**Bring your own PostgreSQL database**

We are pleased to announce that users can utilize their own PostgreSQL-compatible database for the RHACS Central database in this release. This option offers the flexibility to deploy PostgreSQL within or outside the cluster. Whether deployed on bare metal, virtual machines, or as a cloud-hosted service, users can customize their deployment to suit their specific requirements.

Please refer to the RHACS Support Matrix for further details regarding supported platforms.

**Build-time network policy tools **

Creating Network Policies can be time complicated and time-consuming, and our customers want an easier way to enforce zero-trust networking across their clusters. Build-time network policy tools aim to create an automated approach to network policy creation that is as close to the developer as possible, saving time for everyone involved in the DevSecOps pipeline.

Build-time network policy tools enable users to generate network policies locally or as a part of a build-deploy pipeline. This automation enables zero-trust networking by explicitly defining the network traffic in your Kubernetes clusters, and we are excited to announce its general availability!

**Try out RHACS today!**

Interested in checking out these features and more? Try out the latest release of RHACS in our 60-day, no-cost trial of RHACS Cloud Service today!

Red Hat Advanced Cluster Security 4.4: What’s included

Red Hat Security Advisory 2024-1335-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1335.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dnsmasq security updateAdvisory ID:        RHSA-2024:1335-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1335Issue date:         2024-03-14Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for dnsmasq is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.Security Fix(es):* dnsmasq: bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* dnsmasq: bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1335-03

Red Hat Security Advisory 2024-1334-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1334.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dnsmasq security updateAdvisory ID:        RHSA-2024:1334-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1334Issue date:         2024-03-14Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for dnsmasq is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.Security Fix(es):* dnsmasq: bind9: KeyTrap - Extreme CPU consumption in DNSSECvalidator (CVE-2023-50387)* dnsmasq: bind9: Preparing an NSEC3 closest encloser proof canexhaust CPU resources (CVE-2023-50868)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1334-03

Red Hat Security Advisory 2024-1333-03 - Red Hat OpenShift Serverless version 1.32.0 is now available.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1333.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Release of OpenShift Serverless 1.32.0Advisory ID:        RHSA-2024:1333-03Product:            Red Hat OpenShift ServerlessAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1333Issue date:         2024-03-14Revision:           03CVE Names:          CVE-2024-28110====================================================================Summary: Red Hat OpenShift Serverless version 1.32.0 is now available.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Version 1.32.0 of the OpenShift Serverless Operator is supported on Red HatOpenShift Container Platform versions 4.12, 4.13 and 4.14This release includes security, bug fixes, and enhancements.Security Fix(es):* cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks credentials (CVE-2024-28110)For more details about the security issues, including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE pages listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.32CVEs:CVE-2024-28110References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.32https://bugzilla.redhat.com/show_bug.cgi?id=2265972https://bugzilla.redhat.com/show_bug.cgi?id=2265973https://bugzilla.redhat.com/show_bug.cgi?id=2268372

Red Hat Security Advisory 2024-1333-03

Red Hat Security Advisory 2024-1332-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1332.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security update  
Advisory ID:        RHSA-2024:1332-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1332  
Issue date:         2024-03-14  
Revision:           03  
CVE Names:          CVE-2022-42896  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* sched/membarrier: reduce the ability to hammer on sys_membarrier (CVE-2024-26602)

* use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c (CVE-2022-42896)

* use-after-free in sch_qfq network scheduler (CVE-2023-4921)

* IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

* fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

* nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-42896

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2147364  
https://bugzilla.redhat.com/show_bug.cgi?id=2230042  
https://bugzilla.redhat.com/show_bug.cgi?id=2244723  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2262126  
https://bugzilla.redhat.com/show_bug.cgi?id=2267695

Tag

#red_hat