- Issued:
- 2025-07-21
- Updated:
- 2025-07-21
RHSA-2025:11479 - Moderate: ACS 4.7 enhancement and security update
Synopsis
Moderate: ACS 4.7 enhancement and security update
Type/Severity
Security Advisory Moderate
Topic
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security and bug fixes.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
This release of RHACS 4.7.5 includes security and bug fixes. If you are using an earlier version of RHACS 4.7, you are advised to upgrade to this patch release 4.7.5.
Bugs fixed:
-
Before this update, incorrect interpretation of Red Hat Enterprise Linux (RHEL) 10 Common Platform Enumeration (CPE) strings caused Scanner V4 to fail distribution checks on RHEL 10 systems. With this update, an updated RHEL CPE major version pattern resolves the issue, and Scanner V4 can now correctly support RHEL 10.
-
Before this update, the failure of Sensor to call stream.Recv() caused gRPC flow control to block image reprocessing every 4 hours. With this update, the reprocessing loop includes a timeout for sending messages to Sensors, which resolves the issue and resumes the image reprocessing as expected.
-
Before this update, you could observe excessive logging of telemetry collection status, resulting in log spam. With this update, the telemetry collection has been configured to not emit repeated logs continuously, which resolves the issue and significantly reduces the log volume.
-
Before this update, a flaw in the signature verification algorithm caused valid signatures to be reported as invalid if they had a certain payload format. With this update, the enhanced robustness of the algorithm resolves the issue, and the system can now correctly assess the validity of signatures.
Security issue(s) fixed:
- Flaw in net/http allowed request smuggling due to improper handling of bare line feed (LF) in chunked data. (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Solution
If you are using an earlier version of RHACS 4.7, you are advised to upgrade to this patch release 4.7.5.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Advanced Cluster Security for Kubernetes | 4 | x86_64 |
| Red Hat Advanced Cluster Security for Kubernetes for IBM Z and LinuxONE | 4 | s390x |
| Red Hat Advanced Cluster Security for Kubernetes for IBM Power, little endian | 4 | ppc64le |
| Red Hat Advanced Cluster Security for Kubernetes for ARM | 4 | aarch64 |
Fixes
CVEs
- CVE-2019-17543
- CVE-2023-40403
- CVE-2024-12718
- CVE-2024-23337
- CVE-2024-53920
- CVE-2025-4138
- CVE-2025-4330
- CVE-2025-4435
- CVE-2025-4517
- CVE-2025-4802
- CVE-2025-6020
- CVE-2025-6021
- CVE-2025-22871
- CVE-2025-47273
- CVE-2025-48060
- CVE-2025-49794
- CVE-2025-49796
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.7/html/release_notes/release-notes-47
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.