-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: Multicluster Engine for Kubernetes 2.2.7 security updates and bug fixes
Advisory ID:       RHSA-2023:4650-01
Product:           multicluster engine for Kubernetes
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4650
Issue date:        2023-08-14
CVE Names:         CVE-2020-24736 CVE-2023-1667 CVE-2023-2283 
                   CVE-2023-2602 CVE-2023-2603 CVE-2023-2828 
                   CVE-2023-3089 CVE-2023-27536 CVE-2023-28321 
                   CVE-2023-28484 CVE-2023-29469 CVE-2023-32681 
                   CVE-2023-34969 CVE-2023-37903 CVE-2023-38408 
=====================================================================

1. Summary:

Multicluster Engine for Kubernetes 2.2.7 General Availability release
images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Multicluster Engine for Kubernetes 2.2.7 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fix(es):
* CVE-2023-3089 openshift: OCP & FIPS mode
* CVE-2023-37903 vm2: custom inspect function allows attackers to escape
the sandbox and run arbitrary code

3. Solution:

For information and instructions for these updates, see the following
article: https://access.redhat.com/solutions/7022540.

For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode
2224969 - CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code

5. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-2828
https://access.redhat.com/security/cve/CVE-2023-3089
https://access.redhat.com/security/cve/CVE-2023-27536
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-32681
https://access.redhat.com/security/cve/CVE-2023-34969
https://access.redhat.com/security/cve/CVE-2023-37903
https://access.redhat.com/security/cve/CVE-2023-38408
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk2oyOAAoJENzjgjWX9erES9IP/ia7OvrxHKrr9Y/vEtjWONNe
FuAcQnXYC+Z353sjLypA9aPb92zLkk6gdDlAASl5jJyJSCu8ArnDJbbuEsLTuDB4
7hpgyy+IE/0U1fCy4TaF87kRBjPHfPbyrlEJe2lpTJFFqPNxUXbDN1SMRB162cAN
ZVdhxbRbNKIo4B+dwmHG6S71qOlYYeD0ju9aRDQhFGlGKEj5JYFc2meFNdkE/07x
ah575UrYN2jtC0fepWPUny9EDotEtuYGAKyE7M5O+gHdNu5aBCCiizjcjZRgfX6a
FRRYuVrvE7qKjs6Z7/XAlUta1ut/LVUE0H+yAM8wLnLe0KcFVXgSeCe5+BX2IdrY
wtQ81kQqimqCuqugNNhILTJZvYfie6rxPsozJEycKwsAyHMzEnEJCToIdnroClX0
JzbZ9pypxzBRRxfe862GrXJ592rbsJJQFGNQgoOB+tsiOmbBQCDAOnCq3ZLIaBx8
NsBxcshlDlI7MnDgJz2+tN+nnMWK88tuR+4zI8iOqZlxxMQQshxJchTs+3ZckNwR
84rffOay80r6VwsUU4+p099CaNj3pI8VzzkLSQn7dZAOuK+L1NEc8TyAEAOHAMNi
lm/gDUy469tnGFHuJFi23ZAbyCLk5NTBLa0OvzqkuLQ4NqWzgI/n1YID9NxGISsY
Ne55NzOKyUQAul8Ktg5F
=Uuh2
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-4650:01 Critical: Multicluster Engine for Kubernetes 2.2.7

Multicluster Engine for Kubernetes 2.2.7 General Availability release images, which provide security updates and fix bugs

Summary

Multicluster Engine for Kubernetes 2.2.7 images
Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds.
You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Security fix(es): * CVE-2023-3089 openshift: OCP & FIPS mode * CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code



Summary


Solution

For information and instructions for these updates, see the following article: https://access.redhat.com/solutions/7022540.
For multicluster engine for Kubernetes, see the following documentation for details on how to install the images:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

References

https://access.redhat.com/security/cve/CVE-2020-24736 https://access.redhat.com/security/cve/CVE-2023-1667 https://access.redhat.com/security/cve/CVE-2023-2283 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-2828 https://access.redhat.com/security/cve/CVE-2023-3089 https://access.redhat.com/security/cve/CVE-2023-27536 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/cve/CVE-2023-32681 https://access.redhat.com/security/cve/CVE-2023-34969 https://access.redhat.com/security/cve/CVE-2023-37903 https://access.redhat.com/security/cve/CVE-2023-38408 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

Package List


Severity
Advisory ID: RHSA-2023:4650-01
Product: multicluster engine for Kubernetes
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4650
Issued Date: : 2023-08-14
CVE Names: CVE-2020-24736 CVE-2023-1667 CVE-2023-2283 CVE-2023-2602 CVE-2023-2603 CVE-2023-2828 CVE-2023-3089 CVE-2023-27536 CVE-2023-28321 CVE-2023-28484 CVE-2023-29469 CVE-2023-32681 CVE-2023-34969 CVE-2023-37903 CVE-2023-38408

Topic

Multicluster Engine for Kubernetes 2.2.7 General Availability releaseimages, which provide security updates and fix bugs.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE links in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

2224969 - CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved