Issued:
2022-12-06
Updated:
2022-12-06

RHSA-2022:8827 - Low: RHACS 3.73 enhancement and security update

Synopsis

Low: RHACS 3.73 enhancement and security update

Type/Severity

Security Advisory Low

Topic

Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Release of RHACS 3.73 provides these changes:

New features:

  • Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.
  • Improved Vulnerability Management dashboard for ACSCS users.
  • PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.
  • A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.

Notable technical changes:

  • RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
  • Sensor no longer uses anyuid Security Context Constraint (SCC). Instead, the default SCC for Sensor is now restricted[-v2] or stackrox-sensor, depending on the settings. In addition, the runAsUser and fsGroup for the Admission control and Sensor deployments are no longer hard-coded to 4000 on OpenShift clusters to allow using the restricted and restricted-v2 SCCs. (ROX-9342)
  • The service account central, which the Central deployment uses, now includes get and list access to the pods, events, and namespaces resources in the namespace where you deploy Central.
  • The CSV export API /api/vm/export/csv now requires the CVE Type filter as part of the input query parameter. Supported values for CVE Type are IMAGE_CVE, K8S_CVE, ISTIO_CVE, NODE_CVE, and OPENSHIFT_CVE.

Notice of in-product docs removal:

  • Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)

Bug fixes:

  • Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the ocp4-cis-node compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the ocp4-cis-node compliance standard results. (ROX-11937)
  • Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)

Security Fix(es):

  • imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)

  • app-containers/cosign: false positive verification (CVE-2022-36056)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.

Affected Products

ProductVersionArch
Red Hat Advanced Cluster Security for Kubernetes3x86_64

Fixes

CVEs

References

Additional information