- Issued:
- 2025-03-20
- Updated:
- 2025-03-20
RHSA-2025:3053 - Important: Gatekeeper v3.15.4
Synopsis
Important: Gatekeeper v3.15.4
Type/Severity
Security Advisory Important
Topic
Gatekeeper v3.15.4
Description
Gatekeeper v3.15.4
Gatekeeper is a validating webhook with auditing capabilities that can enforce custom resource definition-based policies that are run with the Open Policy Agent (OPA). Gatekeeper is supported through a Red Hat Advanced Cluster Management for Kubernetes subscription.
Starting in v3.15, the following namespaces are exempt from admission control:
- kube-*
- multicluster-engine
- hypershift
- hive
- rhacs-operator
- open-cluster-*
- openshift-*
To disable the default exempt namespaces, set the namespaces you want on the object.
Security fix(es):
- golang.org/x/oauth2: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (CVE-2025-22868)
- golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869)
Additional Release Notes:
- v3.15.0 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0
- v3.15.1 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1
Solution
For more information, see the following resources:
-
See the Gatekeeper documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/.
-
For support and troubleshooting, Gatekeeper is supported through a Red Hat Advanced Cluster Management for Kubernetes subscription: This content is not included.https://access.redhat.com/products/red-hat-advanced-cluster-management-for-kubernetes.
-
The Open Policy Agent Gatekeeper community collaborates on Slack. Join the #opa-gatekeeper channel: https://openpolicyagent.slack.com/archives/CDTN970AX.
-
Open issues on the Gatekeeper GitHub repository: https://github.com/open-policy-agent/gatekeeper/issues.
-
See the installation and upgrade documentation: https://open-policy-agent.github.io/gatekeeper/website/docs/install.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Gatekeeper | 3.15 | x86_64 |
Fixes
- This content is not included.BZ - 2348366
- This content is not included.BZ - 2348367
- This content is not included.HYPBLD-606
- This content is not included.ACM-18305
- This content is not included.ACM-18536
CVEs
- CVE-2019-12900
- CVE-2020-11023
- CVE-2021-43618
- CVE-2022-48554
- CVE-2023-7104
- CVE-2023-29491
- CVE-2023-37920
- CVE-2024-2236
- CVE-2024-3596
- CVE-2024-12797
- CVE-2024-28834
- CVE-2024-28835
- CVE-2024-34397
- CVE-2024-56171
- CVE-2025-22868
- CVE-2025-22869
- CVE-2025-24928
References
- https://access.redhat.com/security/updates/classification/#important
- Content from github.com is not included.Content from github.com is not included.https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0
- Content from github.com is not included.Content from github.com is not included.https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.