-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Multicluster Engine for Kubernetes 2.3.1 security updates and bug fixes Advisory ID: RHSA-2023:4862-01 Product: multicluster engine for Kubernetes Advisory URL: https://access.redhat.com/errata/RHSA-2023:4862 Issue date: 2023-08-29 CVE Names: CVE-2023-3089 CVE-2023-37466 CVE-2023-37903 ==================================================================== 1. Summary: Multicluster Engine for Kubernetes 2.3.1 General Availability release images, which contain security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Multicluster Engine for Kubernetes 2.3.1 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Security fix(es): * CVE-2023-3089 openshift: OCP & FIPS mode * CVE-2023-37903 - vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code * CVE-2023-37466 - vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code 3. Solution: For information and instructions for these updates, see the following article: https://access.redhat.com/solutions/7022540. For multicluster engine for Kubernetes, see the following documentation for details on how to install the images: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/clusters/cluster_mce_overview#installing-while-connected-online-mce 4. Bugs fixed (https://bugzilla.redhat.com/): 2212085 - CVE-2023-3089 openshift: OCP & FIPS mode 2224969 - CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code 2232376 - CVE-2023-37466 vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code 5. References: https://access.redhat.com/security/cve/CVE-2023-3089 https://access.redhat.com/security/cve/CVE-2023-37466 https://access.redhat.com/security/cve/CVE-2023-37903 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/security/vulnerabilities/RHSB-2023-001 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk7lmyAAoJENzjgjWX9erEgyoQAJbwqbfIQs6oIXZijLbivNjq bQKxjShvL63k2pg9Z3dTP9BOU+80m3dHinIuyebSqb6HCtKYVn20HOYWAaeqMSLz +hfLjmyZbMW94i01e0DOQY+kjE4/jJ4SyaNHkzztIBhRalBvaCK1z+qli7WeKUoG 6pKWLg8juuMg7Qz644GZwlAC45z6pz61bBgudd1ITsnFgpR0QbXJgQ9sYEROM6WJ m9YN20GeiVFAvljQVa3jZvO6osEyjMOoqKKbXbbCAAVAGVQRfHZsKoZEzSji9zuh Qpl3TxVf5Q+lSo8Q29UpxManB8qHOnNsD0NJhn/Uc1vtVtNXCGqPYTua/PaQEIzJ 0L9ulRjrVaYTfLkfOAqfpymCEqDUwVrO57lTiiHmmC246aVO2eolWQgCWXHZ1L2r NdFNFrgIlwuosUg2rWMnl2eE7Bng27fu/KD3348wsq0KGioWo/pLRwA07fR8SJht Tr042eSScvhRexvChXjQQI7DioUOqYkB8d80clc5W57jxr3mUJLyAPL+0lMNMgIO vQmePwSyuvv4SdHHSDV4prUkiY/FMJVSMmoa3OXhMWy7oMeLv/Q9pMiWYBtK3bIW 7UXkuuHbeUEei60bYRMZPce7Us3VCuw4jowB9gyQ5e1dN2P/D1KmJOPWqq/gqj6P Mx4gy/4rSFmsj7fPQJnr =v2RA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce