- Issued:
- 2025-04-15
- Updated:
- 2025-04-15
RHSA-2025:3929 - Important: ACS 4.6 enhancement and security update
Synopsis
Important: ACS 4.6 enhancement and security update
Type/Severity
Security Advisory Important
Topic
Updated images are now available for Red Hat Advanced Cluster Security (RHACS).
Description
This release of RHACS fixes the following bugs:
-
Fixed an issue where Central could perform image scans even when delegated scanning was enabled, due to a race condition during Sensor reconnection.
-
Fixed an issue where mismatched aggregation fields in Compliance tables and widgets caused inconsistent percentage displays.
-
Fixed an issue where you ran into Google Kubernetes Engine (GKE) compatibility test failures because the tests still used a deprecated service in RHACS 4.6.
-
Fixed an issue where you could see the Configuration Management page despite only having Alert permissions, resulting in role-based access control (RBAC) errors.
-
Fixed an issue where verifying multi-signed images failed due to incorrect error handling.
This release of RHACS fixes the following security vulnerabilities:
CVE-2024-21536: Flaw in http-proxy-middleware allowed denial of service through unhandled promise rejections in micromatch.
CVE-2025-30204: Flaw in jwt-go allowed excessive memory allocation during header parsing, which could lead to a possible denial of service.
CVE-2024-57083: Flaw in redoc allowed prototypes in mergeObjects to be tainted, which allowed a denial of service through crafted payloads.
Solution
If you are using an earlier version of RHACS 4.6, you are advised to upgrade to patch release 4.6.5.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Advanced Cluster Security for Kubernetes | 4 | x86_64 |
| Red Hat Advanced Cluster Security for Kubernetes for IBM Z and LinuxONE | 4 | s390x |
| Red Hat Advanced Cluster Security for Kubernetes for IBM Power, little endian | 4 | ppc64le |
| Red Hat Advanced Cluster Security for Kubernetes for ARM | 4 | aarch64 |
Fixes
- This content is not included.BZ - 2319884
- This content is not included.BZ - 2354195
- This content is not included.BZ - 2355865
CVEs
References
- https://access.redhat.com/security/updates/classification/#important
- https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.6/html/release_notes/release-notes-46
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.