-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Multicluster Engine for Kubernetes 2.1.8 security updates and bug fixes Advisory ID: RHSA-2023:4972-01 Product: multicluster engine for Kubernetes Advisory URL: https://access.redhat.com/errata/RHSA-2023:4972 Issue date: 2023-09-05 CVE Names: CVE-2020-24736 CVE-2023-1667 CVE-2023-2283 CVE-2023-2602 CVE-2023-2603 CVE-2023-2828 CVE-2023-3089 CVE-2023-24329 CVE-2023-27536 CVE-2023-28321 CVE-2023-28484 CVE-2023-29469 CVE-2023-34969 CVE-2023-37466 CVE-2023-37903 CVE-2023-38408 ===================================================================== 1. Summary: Multicluster Engine for Kubernetes 2.1.8 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Multicluster Engine for Kubernetes 2.1.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Security fix(es): * CVE-2023-3089 - openshift: OCP & FIPS mode * CVE-2023-37903 - vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code * CVE-2023-37466 - vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code 3. Solution: For information and instructions for these updates, see the following article: https://access.redhat.com/solutions/7022540. For multicluster engine for Kubernetes, see the following documentation for details on how to install the images: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/multicluster_engine/multicluster_engine_overview#installing-while-connected-online-mce 4. Bugs fixed (https://bugzilla.redhat.com/): 2212085 - CVE-2023-3089 openshift: OCP & FIPS mode 2224969 - CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code 2232376 - CVE-2023-37466 vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code 5. References: https://access.redhat.com/security/cve/CVE-2020-24736 https://access.redhat.com/security/cve/CVE-2023-1667 https://access.redhat.com/security/cve/CVE-2023-2283 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-2828 https://access.redhat.com/security/cve/CVE-2023-3089 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-27536 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/cve/CVE-2023-34969 https://access.redhat.com/security/cve/CVE-2023-37466 https://access.redhat.com/security/cve/CVE-2023-37903 https://access.redhat.com/security/cve/CVE-2023-38408 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/security/vulnerabilities/RHSB-2023-001 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk9yh/AAoJENzjgjWX9erExRwQAKLvMOTGwCcnrshxwGDu8b5J Qg/B9s0X9c9d0eNKtibJd1tjiuIsxP+W0F147Z9oY/UIj8J4kACfogbh9YMm5r8y 3Q10QpiBNpsvT6xGOsg7xOE3xkShK4Kb+RCDbPdV99UY4yg4V6D8GQIjTYomXniR yjfTS60+IRkPRck6sMx9Z6Q95lROpMCE5reCZHrINZOl8/JHN8mXxBwiiB9Hs5b8 bTuVw/w/A6iJtJB5Vdb9YkfpTmsifY/tRUp0G2Dy730PT6A4O+eBMREZVYAkPzmW QcOSzGOq71Av4Ct06qCPfOvoDyvLSVMnhrLQRBqAYqTnP/Z46ncv0+i+OIcpad7b txWcUCYrQcfIxw7E6WJT7uhgRp3IzhVy+uFGcTb5v3zK72SukA4vhOWsBgW1xWDo fYALDFvUhmx7hlGlImQ3RTvmOCNEy7VOmSoTzq/jzNjL9796fIRKp8nIpT9r6fyd WmVfNL0/9hrQDa6rWRy4Tw6GBtzthet2QNdml0Ojhh9rPyXBw8ZL0z0GEF709z/U Tokpo/blCAo2Z43a4sxa5IC2yuBiK58hlmr0pwjXbCyiqZcwM4TUhsJqiyEsjO04 3/ZA52TXbCeEBwF1Px0WAzSnUt8rPQ1C13sqqEUVwiEsem/KeyGHDSQsYUaE1F4o eAZYzdXqZXEYIylRiuaC =Yp3S -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce