Site icon API Security Blog

(RHSA-2022:8827) Low: RHACS 3.73 enhancement and security update

Release of RHACS 3.73 provides these changes:

New features:

* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.
* Improved Vulnerability Management dashboard for ACSCS users.
* PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.
* A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.

Notable technical changes:

* RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
* Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)
* The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.
* The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.

Notice of in-product docs removal:

* Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)

Bug fixes:

* Previously, if you were using StackRox Kubernetes Security Platform – Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)
* Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)

Security Fix(es):

* imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)

* app-containers/cosign: false positive verification (CVE-2022-36056)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Read More

Exit mobile version