Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes

Topic

Red Hat Advanced Cluster Management for Kubernetes 2.6.0 General
Availability release images, which fix security issues and bugs.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

Description

Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix security issues and several bugs. See the following Release Notes documentation, which will be updated shortly for this
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/

Security fixes:

• CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
• CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
• CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
• CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
• CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
• CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
• CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
• CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
• CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
• CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

Bug fixes:

• assisted-service repo pin-latest.py script should allow custom tags to be pinned (BZ# 2065661)
• assisted-service-build image is too big in size (BZ# 2066059)
• assisted-service pin-latest.py script should exclude the postgres image (BZ# 2076901)
• PXE artifacts need to be served via HTTP (BZ# 2078531)
• Implementing new service-agent protocol on agent side (BZ# 2081281)
• RHACM 2.6.0 images (BZ# 2090906)
• Assisted service POD keeps crashing after a bare metal host is created (BZ# 2093503)
• Assisted service triggers the worker nodes re-provisioning on the hub cluster when the converged flow is enabled (BZ# 2096106)
• Fix assisted CI jobs that fail for cluster-info readiness (BZ# 2097696)
• Nodes are required to have installation disks of at least 120GB instead of at minimum of 100GB (BZ# 2099277)
• The pre-selected search keyword is not readable (BZ# 2107736)
• The value of label expressions in the new placement for policy and policysets cannot be shown real-time from UI (BZ# 2111843)

Solution

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for important
instructions on installing this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing

Affected Products

• Red Hat Advanced Cluster Management for Kubernetes 2 for RHEL 8 x86_64

Fixes

• BZ - 2065661 - assisted-service repo pin-latest.py script should allow custom tags to be pinned
• BZ - 2066059 - assisted-service-build image is too big in size
• BZ - 2076901 - assisted-service pin-latest.py script should exclude the postgres image
• BZ - 2078531 - iPXE artifacts need to be served via HTTP
• BZ - 2081281 - Implementing new service-agent protocol on agent side
• BZ - 2090901 - Capital letters in install-config.yaml .platform.baremetal.hosts[].name cause bootkube errors
• BZ - 2090906 - RHACM 2.6.0 images
• BZ - 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
• BZ - 2093503 - Assisted service POD keeps crashing after a bare metal host is created
• BZ - 2096106 - Assisted service triggers the worker nodes re-provisioning on the hub cluster when the converged flow is enabled
• BZ - 2096445 - Assisted service POD keeps crashing after a bare metal host is created
• BZ - 2096460 - Spoke BMH stuck "inspecting" when deployed via the converged workflow
• BZ - 2097696 - Fix assisted CI jobs that fail for cluster-info readiness
• BZ - 2099277 - Nodes are required to have installation disks of at least 120GB instead of at minimum of 100GB
• BZ - 2103703 - Automatic version upgrade triggered for oadp operator installed by cluster-backup-chart
• BZ - 2104117 - Spoke BMH stuck ?available? after changing a BIOS attribute via the converged workflow
• BZ - 2104984 - Infrastructure operator missing clusterrole permissions for interacting with mutatingwebhookconfigurations
• BZ - 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
• BZ - 2105339 - Search Application button on the Application Table for Subscription applications does not Redirect
• BZ - 2105357 - [UI] hypershift cluster creation error - n[0] is undefined
• BZ - 2106347 - Submariner error looking up service account submariner-operator/submariner-addon-sa
• BZ - 2106882 - Security Context Restrictions are restricting creation of some pods which affects the deployment of some applications
• BZ - 2107049 - The clusterrole for global clusterset did not created by default
• BZ - 2107065 - governance-policy-framework in CrashLoopBackOff state on spoke cluster: Failed to start manager {"error": "error listening on :8081: listen tcp :8081: bind: address already in use"}
• BZ - 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• BZ - 2107370 - Helm Release resource recreation feature does not work with the local cluster
• BZ - 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
• BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
• BZ - 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
• BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
• BZ - 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
• BZ - 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
• BZ - 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
• BZ - 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
• BZ - 2108888 - Hypershift on AWS - control plane not running
• BZ - 2109370 - The button to create the cluster is not visible
• BZ - 2111203 - Add ocp 4.11 to filters for discovering clusters in ACM 2.6
• BZ - 2111218 - Create cluster - Infrastructure page crashes
• BZ - 2111651 - "View application" button on app table for Flux applications redirects to apiVersion=ocp instead of flux
• BZ - 2111663 - Hosted cluster in Pending import state
• BZ - 2111671 - Leaked namespaces after deleting hypershift deployment
• BZ - 2111770 - [ACM 2.6] there is no node info for remote cluster in multiple hubs
• BZ - 2111843 - The value of label expressions in the new placement for policy and policysets cannot be shown real-time from UI
• BZ - 2112180 - The policy page is crashed after input keywords in the search box
• BZ - 2112281 - config-policy-controller pod can't startup in the OCP3.11 managed cluster
• BZ - 2112318 - Can't delete the objects which are re-created by policy when deleting the policy
• BZ - 2112321 - BMAC reconcile loop never stops after changes
• BZ - 2112426 - No cluster discovered due to x509: certificate signed by unknown authority
• BZ - 2112478 - Value of delayAfterRunSeconds is not shown on the final submit panel and the word itself should not be wrapped.
• BZ - 2112793 - Can't view details of the policy template when set the spec.pruneObjectBehavior as unsupported value
• BZ - 2112803 - ClusterServiceVersion for release 2.6 branch references "latest" tag
• BZ - 2113787 - [ACM 2.6] can not delete namespaces after detaching the hosted cluster
• BZ - 2113838 - the cluster proxy-agent was deployed on the non-infra nodes
• BZ - 2113842 - [ACM 2.6] must restart hosting cluster registration pod if update work-manager-addon cr to change installNamespace
• BZ - 2114982 - Control plane type shows 'Standalone' for hypershift cluster
• BZ - 2115622 - Hub fromsecret function doesn't work for hosted mode in multiple hub
• BZ - 2115723 - Can't view details of the policy template for customer and hypershift cluster in hosted mode from UI
• BZ - 2115993 - Policy automation details panel was not updated after editing the mode back to disabled
• BZ - 2116211 - Count of violations with unknown status was not accurate when managed clusters have mixed status
• BZ - 2116329 - cluster-proxy-agent not startup due to the imagepullbackoff on spoke cluster
• BZ - 2117113 - The proxy-server-host was not correct in cluster-proxy-agent
• BZ - 2117187 - pruneObjectBehavior radio selection cannot work well and always switch the first one template in multiple configurationPolicy templates
• BZ - 2117480 - [ACM 2.6] infra-id of HypershiftDeployment doesn't work
• BZ - 2118338 - Report the "namespace not found" error after clicked view yaml link of a policy in the multiple hub env
• BZ - 2119326 - Can't view details of the SecurityContextConstraints policy for managed clusters from UI

CVEs

• CVE-2022-1012
• CVE-2022-1292
• CVE-2022-1586
• CVE-2022-1705
• CVE-2022-1785
• CVE-2022-1897
• CVE-2022-1927
• CVE-2022-1962
• CVE-2022-2068
• CVE-2022-2097
• CVE-2022-2526
• CVE-2022-28131
• CVE-2022-29154
• CVE-2022-30629
• CVE-2022-30630
• CVE-2022-30631
• CVE-2022-30632
• CVE-2022-30633
• CVE-2022-30635
• CVE-2022-31129
• CVE-2022-32148
• CVE-2022-32206
• CVE-2022-32208
• CVE-2022-32250

References

• https://access.redhat.com/security/updates/classification/#moderate