-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Critical: Multicluster Engine for Kubernetes 2.3.1 security updates and bug fixes
Advisory ID:       RHSA-2023:4862-01
Product:           multicluster engine for Kubernetes
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4862
Issue date:        2023-08-29
CVE Names:         CVE-2023-3089 CVE-2023-37466 CVE-2023-37903
====================================================================
1. Summary:

Multicluster Engine for Kubernetes 2.3.1 General Availability release
images, which contain security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Multicluster Engine for Kubernetes 2.3.1 images

Multicluster engine for Kubernetes provides the foundational components
that are necessary for the centralized management of multiple
Kubernetes-based clusters across data centers, public clouds, and private
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform
clusters or to bring existing Kubernetes-based clusters under management by
importing them. After the clusters are managed, you can use the APIs that
are provided by the engine to distribute configuration based on placement
policy.

Security fix(es):
* CVE-2023-3089 openshift: OCP & FIPS mode
* CVE-2023-37903 - vm2: custom inspect function allows attackers to escape
the
sandbox and run arbitrary code
* CVE-2023-37466 - vm2: Promise handler sanitization can be bypassed
allowing
attackers to escape the sandbox and run arbitrary code

3. Solution:

For information and instructions for these updates, see the following
article: https://access.redhat.com/solutions/7022540.

For multicluster engine for Kubernetes, see the following documentation for
details on how to install the images:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode
2224969 - CVE-2023-37903 vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code
2232376 - CVE-2023-37466 vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code

5. References:

https://access.redhat.com/security/cve/CVE-2023-3089
https://access.redhat.com/security/cve/CVE-2023-37466
https://access.redhat.com/security/cve/CVE-2023-37903
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk7lmyAAoJENzjgjWX9erEgyoQAJbwqbfIQs6oIXZijLbivNjq
bQKxjShvL63k2pg9Z3dTP9BOU+80m3dHinIuyebSqb6HCtKYVn20HOYWAaeqMSLz
+hfLjmyZbMW94i01e0DOQY+kjE4/jJ4SyaNHkzztIBhRalBvaCK1z+qli7WeKUoG
6pKWLg8juuMg7Qz644GZwlAC45z6pz61bBgudd1ITsnFgpR0QbXJgQ9sYEROM6WJ
m9YN20GeiVFAvljQVa3jZvO6osEyjMOoqKKbXbbCAAVAGVQRfHZsKoZEzSji9zuh
Qpl3TxVf5Q+lSo8Q29UpxManB8qHOnNsD0NJhn/Uc1vtVtNXCGqPYTua/PaQEIzJ
0L9ulRjrVaYTfLkfOAqfpymCEqDUwVrO57lTiiHmmC246aVO2eolWQgCWXHZ1L2r
NdFNFrgIlwuosUg2rWMnl2eE7Bng27fu/KD3348wsq0KGioWo/pLRwA07fR8SJht
Tr042eSScvhRexvChXjQQI7DioUOqYkB8d80clc5W57jxr3mUJLyAPL+0lMNMgIO
vQmePwSyuvv4SdHHSDV4prUkiY/FMJVSMmoa3OXhMWy7oMeLv/Q9pMiWYBtK3bIW
7UXkuuHbeUEei60bYRMZPce7Us3VCuw4jowB9gyQ5e1dN2P/D1KmJOPWqq/gqj6P
Mx4gy/4rSFmsj7fPQJnr
=v2RA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce