what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2023-4972-01

Red Hat Security Advisory 2023-4972-01
Posted Sep 5, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-4972-01 - Multicluster Engine for Kubernetes 2.1.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a bypass vulnerability.

tags | advisory, bypass
systems | linux, redhat
advisories | CVE-2020-24736, CVE-2023-1667, CVE-2023-2283, CVE-2023-24329, CVE-2023-2602, CVE-2023-2603, CVE-2023-27536, CVE-2023-2828, CVE-2023-28321, CVE-2023-28484, CVE-2023-29469, CVE-2023-3089, CVE-2023-34969, CVE-2023-37466
SHA-256 | b8103393a1f454680dcea9db011bb7f60291ac374c5e4f6ad89ef6197ecdf019

Red Hat Security Advisory 2023-4972-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: Multicluster Engine for Kubernetes 2.1.8 security updates and bug fixes
Advisory ID: RHSA-2023:4972-01
Product: multicluster engine for Kubernetes
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4972
Issue date: 2023-09-05
CVE Names: CVE-2020-24736 CVE-2023-1667 CVE-2023-2283
CVE-2023-2602 CVE-2023-2603 CVE-2023-2828
CVE-2023-3089 CVE-2023-24329 CVE-2023-27536
CVE-2023-28321 CVE-2023-28484 CVE-2023-29469
CVE-2023-34969 CVE-2023-37466 CVE-2023-37903
CVE-2023-38408
=====================================================================

1. Summary:

Multicluster Engine for Kubernetes 2.1.8 General Availability release
images,
which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Multicluster Engine for Kubernetes 2.1.8 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fix(es):
* CVE-2023-3089 - openshift: OCP & FIPS mode
* CVE-2023-37903 - vm2: custom inspect function allows attackers to escape
the
sandbox and run arbitrary code
* CVE-2023-37466 - vm2: Promise handler sanitization can be bypassed
allowing
attackers to escape the sandbox and run arbitrary code

3. Solution:

For information and instructions for these updates, see the following
article: https://access.redhat.com/solutions/7022540.

For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/multicluster_engine/multicluster_engine_overview#installing-while-connected-online-mce

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode
2224969 - CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code
2232376 - CVE-2023-37466 vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code

5. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-2828
https://access.redhat.com/security/cve/CVE-2023-3089
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-27536
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-34969
https://access.redhat.com/security/cve/CVE-2023-37466
https://access.redhat.com/security/cve/CVE-2023-37903
https://access.redhat.com/security/cve/CVE-2023-38408
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk9yh/AAoJENzjgjWX9erExRwQAKLvMOTGwCcnrshxwGDu8b5J
Qg/B9s0X9c9d0eNKtibJd1tjiuIsxP+W0F147Z9oY/UIj8J4kACfogbh9YMm5r8y
3Q10QpiBNpsvT6xGOsg7xOE3xkShK4Kb+RCDbPdV99UY4yg4V6D8GQIjTYomXniR
yjfTS60+IRkPRck6sMx9Z6Q95lROpMCE5reCZHrINZOl8/JHN8mXxBwiiB9Hs5b8
bTuVw/w/A6iJtJB5Vdb9YkfpTmsifY/tRUp0G2Dy730PT6A4O+eBMREZVYAkPzmW
QcOSzGOq71Av4Ct06qCPfOvoDyvLSVMnhrLQRBqAYqTnP/Z46ncv0+i+OIcpad7b
txWcUCYrQcfIxw7E6WJT7uhgRp3IzhVy+uFGcTb5v3zK72SukA4vhOWsBgW1xWDo
fYALDFvUhmx7hlGlImQ3RTvmOCNEy7VOmSoTzq/jzNjL9796fIRKp8nIpT9r6fyd
WmVfNL0/9hrQDa6rWRy4Tw6GBtzthet2QNdml0Ojhh9rPyXBw8ZL0z0GEF709z/U
Tokpo/blCAo2Z43a4sxa5IC2yuBiK58hlmr0pwjXbCyiqZcwM4TUhsJqiyEsjO04
3/ZA52TXbCeEBwF1Px0WAzSnUt8rPQ1C13sqqEUVwiEsem/KeyGHDSQsYUaE1F4o
eAZYzdXqZXEYIylRiuaC
=Yp3S
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close