Issued:: 2024-10-28
Updated:: 2024-10-28

RHSA-2024:8533 - Important: Multicluster Engine for Kubernetes 2.4.6 security updates and bug fixes

Synopsis

Important: Multicluster Engine for Kubernetes 2.4.6 security updates and bug fixes

Type/Severity

Security Advisory Important

Topic

Multicluster Engine for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description

Multicluster engine for Kubernetes v2.4.6 images

Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds.

You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

nodejs/elliptic: EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended (CVE-2024-42459) nodejs/elliptic: ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero (CVE-2024-42460) nodejs/elliptic: ECDSA implementation malleability due to BER-enconded signatures being allowed (CVE-2024-42461) Missing Validation in Elliptic's EDDSA Signature Verification(CVE-2024-48949)

Solution

For multicluster engine for Kubernetes, see the following documentation for details on how to install the images:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html/clusters/install_upgrade/installing-while-connected-online-mce

Affected Products

Product	Version	Arch
multicluster engine for Kubernetes	Text-only Advisories	x86_64

Fixes

(none)

CVEs

CVE-2022-48624
CVE-2023-2953
CVE-2023-37920
CVE-2023-45290
CVE-2024-1737
CVE-2024-1975
CVE-2024-2398
CVE-2024-3651
CVE-2024-4032
CVE-2024-5535
CVE-2024-5564
CVE-2024-6232
CVE-2024-6345
CVE-2024-6923
CVE-2024-24790
CVE-2024-24806
CVE-2024-25062
CVE-2024-28182
CVE-2024-30203
CVE-2024-30205
CVE-2024-32487
CVE-2024-37370
CVE-2024-37371
CVE-2024-37891
CVE-2024-39331
CVE-2024-42459
CVE-2024-42460
CVE-2024-42461
CVE-2024-45490
CVE-2024-45491
CVE-2024-45492
CVE-2024-48949

References

https://access.redhat.com/security/updates/classification/#important

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.