Red Hat Security Advisory
Synopsis: Low: RHACS 3.73 enhancement and security update
Advisory ID: RHSA-2022:8827-01
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8827
Issue date: 2022-12-06
CVE Names: CVE-2022-24778 CVE-2022-36056 CVE-2022-42898
Updated images are now available for Red Hat Advanced Cluster Security
(RHACS). The updated image includes new features and bug fixes.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Release of RHACS 3.73 provides these changes:
* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat
managed service that simplifies and accelerates RHACS deployments. ACSCS is
available as a Field Trial release. For more information about accessing
ACSCS, contact Red Hat Sales.
* Improved Vulnerability Management dashboard for ACSCS users.
* PostgreSQL database option is available as Technology Preview feature. If
you are interested in participating in the Tech Preview program, contact
your Red Hat account representative.
* A new build-time network policy generator as Technology Preview feature,
to generate Kubernetes network policies based on Application YAML
Notable technical changes:
* RHACS uses GraphQL internally to show data in the RHACS portal. However,
Red Hat does not support querying RHACS using GraphQL. If you are using
GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat
* Sensor no longer uses `anyuid` Security Context Constraint (SCC).
Instead, the default SCC for Sensor is now `restricted[-v2]` or
`stackrox-sensor`, depending on the settings. In addition, the `runAsUser`
and `fsGroup` for the Admission control and Sensor deployments are no
longer hard-coded to `4000` on OpenShift clusters to allow using the
`restricted` and `restricted-v2` SCCs. (ROX-9342)
* The service account `central`, which the Central deployment uses, now
includes `get` and `list` access to the pods, events, and namespaces
resources in the namespace where you deploy Central.
* The CSV export API `/api/vm/export/csv` now requires the `CVE Type`
filter as part of the input query parameter. Supported values for `CVE
Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and
Notice of in-product docs removal:
* Beginning in the RHACS 3.74 release, Red Hat will remove the in-product
docs accessible from the help menu. If you are using the in-product docs,
you can instead download the required documentation in PDF format from Red
Hat Customer Portal. (ROX-12839)
* Previously, if you were using StackRox Kubernetes Security Platform –
Splunk Technology Add-on, results for the `ocp4-cis-node` compliance
standard was missing from Splunk. This issue is now fixed. The Splunk
integration now includes the `ocp4-cis-node` compliance standard results.
* Previously, Central would fail on the v1 CronJob deployment check. This
issue is fixed. (ROX-13500)
* imgcrypt: Unauthorized access to encryted container image on a shared
system due to missing check in CheckAuthorization() code path
* app-containers/cosign: false positive verification (CVE-2022-36056)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
To take advantage of the new features, bug fixes, and enhancements in RHACS
3.73 you are advised to upgrade to RHACS 3.73.0.
4. Bugs fixed (https://bugzilla.redhat.com/):
2069368 – CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
2128820 – CVE-2022-36056 app-containers/cosign: false positive verification
5. JIRA issues fixed (https://issues.jboss.org/):
ROX-13687 – Release RHACS 3.73.0
The Red Hat security contact is <email@example.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
—–END PGP SIGNATURE—–
RHSA-announce mailing list