Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2022-36056
Vulnerability from cvelistv5
Published
2022-09-14 19:50
Modified
2024-08-03 09:52
Severity ?
EPSS score ?
Summary
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388 | Exploit, Mitigation, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388 | Exploit, Mitigation, Patch, Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cosign",
"vendor": "sigstore",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-14T19:50:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25"
}
],
"source": {
"advisory": "GHSA-8gw7-4j42-w388",
"discovery": "UNKNOWN"
},
"title": " Vulnerabilities with blob verification in sigstore cosign",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36056",
"STATE": "PUBLIC",
"TITLE": " Vulnerabilities with blob verification in sigstore cosign"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cosign",
"version": {
"version_data": [
{
"version_value": "\u003c 1.12.0"
}
]
}
}
]
},
"vendor_name": "sigstore"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-347: Improper Verification of Cryptographic Signature"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388",
"refsource": "CONFIRM",
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
},
{
"name": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25",
"refsource": "MISC",
"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25"
}
]
},
"source": {
"advisory": "GHSA-8gw7-4j42-w388",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36056",
"datePublished": "2022-09-14T19:50:09",
"dateReserved": "2022-07-15T00:00:00",
"dateUpdated": "2024-08-03T09:52:00.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-36056\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-14T20:15:09.860\",\"lastModified\":\"2024-11-21T07:12:16.937\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.\"},{\"lang\":\"es\",\"value\":\"Cosign es un proyecto bajo la organizaci\u00f3n sigstore que presenta como objetivo hacer que la infraestructura de las firmas sea invisible. En versiones anteriores a 1.12.0, han sido encontradas una serie de vulnerabilidades en cosign verify-blob, donde Cosign verificaba con \u00e9xito un artefacto cuando la verificaci\u00f3n deber\u00eda haber fallado. En primer lugar, puede dise\u00f1arse un paquete de Cosign para que verifique correctamente un blob aunque el rekorBundle insertado no haga referencia a la firma en cuesti\u00f3n. En segundo lugar, cuando son proporcionados indicadores de identidad, el correo electr\u00f3nico y el emisor de un certificado no son comprobados cuando es verificado un paquete Rekor, y la identidad de las acciones de GitHub nunca es comprobada. En tercer lugar, si es proporcionada un paquete Rekor no v\u00e1lido sin el flag experimental, la verificaci\u00f3n es realizada con \u00e9xito. Y en cuarto lugar, una entrada de registro de transparencia no v\u00e1lida resultar\u00e1 en un \u00e9xito inmediato de la verificaci\u00f3n. Los detalles y ejemplos de estos problemas pueden verse en el aviso GHSA-8gw7-4j42-w388 enlazado. Es recomendado a usuarios actualizar a versi\u00f3n 1.12.0. No se presentan mitigaciones conocidas para estos problemas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.12.0\",\"matchCriteriaId\":\"B4975968-ACFD-4039-AD18-F2C53D2CF1DD\"}]}]}],\"references\":[{\"url\":\"https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
fkie_cve-2022-36056
Vulnerability from fkie_nvd
Published
2022-09-14 20:15
Modified
2024-11-21 07:12
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388 | Exploit, Mitigation, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388 | Exploit, Mitigation, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4975968-ACFD-4039-AD18-F2C53D2CF1DD",
"versionEndExcluding": "1.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues."
},
{
"lang": "es",
"value": "Cosign es un proyecto bajo la organizaci\u00f3n sigstore que presenta como objetivo hacer que la infraestructura de las firmas sea invisible. En versiones anteriores a 1.12.0, han sido encontradas una serie de vulnerabilidades en cosign verify-blob, donde Cosign verificaba con \u00e9xito un artefacto cuando la verificaci\u00f3n deber\u00eda haber fallado. En primer lugar, puede dise\u00f1arse un paquete de Cosign para que verifique correctamente un blob aunque el rekorBundle insertado no haga referencia a la firma en cuesti\u00f3n. En segundo lugar, cuando son proporcionados indicadores de identidad, el correo electr\u00f3nico y el emisor de un certificado no son comprobados cuando es verificado un paquete Rekor, y la identidad de las acciones de GitHub nunca es comprobada. En tercer lugar, si es proporcionada un paquete Rekor no v\u00e1lido sin el flag experimental, la verificaci\u00f3n es realizada con \u00e9xito. Y en cuarto lugar, una entrada de registro de transparencia no v\u00e1lida resultar\u00e1 en un \u00e9xito inmediato de la verificaci\u00f3n. Los detalles y ejemplos de estos problemas pueden verse en el aviso GHSA-8gw7-4j42-w388 enlazado. Es recomendado a usuarios actualizar a versi\u00f3n 1.12.0. No se presentan mitigaciones conocidas para estos problemas"
}
],
"id": "CVE-2022-36056",
"lastModified": "2024-11-21T07:12:16.937",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-14T20:15:09.860",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
ghsa-8gw7-4j42-w388
Vulnerability from github
Published
2022-09-16 19:13
Modified
2024-05-20 21:33
Severity ?
Summary
Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature
Details
Summary
A number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed.
Vulnerability 1: Bundle mismatch causes invalid verification.
Summary
A cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature.
Details
Cosign supports "bundles" which intend to allow offline verification of the signature and rekor inclusion. By using the --bundle flag in cosign sign-blob, cosign will create a JSON file called a "bundle". These bundles include three fields: base64Signature, cert, and rekorBundle. The desired behavior is that the verification of these bundles would:
- verify the provided blob using the included signature and certificate
- verify the rekorBundle SET
- verify the rekorBundle payload references the given artifact.
It appears that step three is not being performed, allowing "any old rekorBundle" to pass validation, even if the rekorBundle payload does not reference the provided blob or the certificate and signature in the rekorBundle do not match those at the top level.
Steps to reproduce
Enable keyless signing:
export COSIGN_EXPERIMENTAL=1
Create two random blobs:
dd bs=1 count=50 </dev/urandom >blob1
dd bs=1 count=50 </dev/urandom >blob2
Sign each blob:
cosign sign-blob blob1 --bundle bundle1
cosign sign-blob blob2 --bundle bundle2
Create a falsified bundle including the base64Signature and cert fields from bundle1 and the rekorBundle from bundle2:
jq --slurpfile bundle2 bundle2 '.rekorBundle = $bundle2[0].rekorBundle' bundle1 > invalidBundle
Now, the falsified bundle can be used to verify blob1:
$ cosign verify-blob blob1 --bundle invalidBundle
tlog entry verified offline
Verified OK
Patches
Users should update to the latest version of Cosign, 1.12.0.
Workaround
If you extract the signature and certificate from the bundle, you may use it for verification as follows and avoid using an invalid bundle:
$ cosign verify-blob blob1 --signature $(jq -r '.base64Signature' bundle1) --certificate $(jq -r '.cert' bundle1)
Note that this will make a network call to Rekor to fetch the Rekor entry. However, you may then be subject to Vulnerability 4.
Vulnerability 2: Certificate Identities are not checked in some cases
Summary
When providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked.
Details
Users who provide an offline Rekor bundle (--bundle) when verifying a blob using cosign verify-blob and include flags that check identity such as --certificate-email and --certificate-oidc-issuer are impacted. Additionally, users who provide the GitHub Actions verification flags such as --certificate-github-workflow-name when running cosign verify-blob without a bundle, key reference, or certificate are impacted.
When providing these flags, Cosign ignored their values. If a certificate's identity did not match the provided flags, Cosign would still successfully verify the blob.
Patches
Users should update to the latest version of Cosign, 1.12.0.
Workarounds
There are no workarounds, users should update.
Vulnerability 3: Invalid Rekor bundle without the experimental flag will result in successful verification
Summary
Providing an invalid Rekor bundle without the experimental flag results in a successful verification.
Details
Users who provide an offline Rekor bundle (--bundle) that was invalid (invalid signed entry timestamp, expired certificate, or malformed) when verifying a blob with cosign verify-blob and do not set the COSIGN_EXPERIMENTAL=1 flag are impacted.
When an invalid bundle was provided, Cosign would fallback to checking Rekor log inclusion by requesting proof of inclusion from the log. However, without the COSIGN_EXPERIMENTAL flag, Cosign would exit early and successfully verify the blob.
Patches
Users should update to the latest version of Cosign, 1.12.0.
Workarounds
There are no workarounds, users should update.
Vulnerability 4: Invalid transparency log entry will result in successful verification
Summary
An invalid transparency log entry will result in immediate success for verification.
Details
Users who provide a signature and certificate to verify-blob will fetch the associated Rekor entry for verification. If the returned entry was invalid (invalid signed entry timestamp, invalid inclusion proof, malformed entry with missing verification), then cosign exits early and succeeds unconditionally.
Patches
Users should update to the latest version of Cosign, 1.12.0.
Workarounds
There are no workarounds, users should update.
For more information
If you have any questions or comments about this advisory: * Open an issue in cosign * Send us a message on Slack.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.11.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/sigstore/cosign"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36056"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T19:13:13Z",
"nvd_published_at": "2022-09-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA number of vulnerabilities have been found in `cosign verify-blob`, where Cosign would successfully verify an artifact when verification should have failed.\n\n## Vulnerability 1: Bundle mismatch causes invalid verification.\n\n### Summary\nA cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature.\n\n### Details\nCosign supports \"bundles\" which intend to allow offline verification of the signature and rekor inclusion. By using the --bundle flag in cosign sign-blob, cosign will create a JSON file called a \"bundle\". These bundles include three fields: base64Signature, cert, and rekorBundle. The desired behavior is that the verification of these bundles would:\n\n- verify the provided blob using the included signature and certificate\n- verify the rekorBundle SET\n- verify the rekorBundle payload references the given artifact.\n\nIt appears that step three is not being performed, allowing \"any old rekorBundle\" to pass validation, even if the rekorBundle payload does not reference the provided blob or the certificate and signature in the rekorBundle do not match those at the top level.\n\n### Steps to reproduce\nEnable keyless signing:\n\n```\nexport COSIGN_EXPERIMENTAL=1\n```\nCreate two random blobs:\n```\ndd bs=1 count=50 \u003c/dev/urandom \u003eblob1\ndd bs=1 count=50 \u003c/dev/urandom \u003eblob2\n```\nSign each blob:\n```\ncosign sign-blob blob1 --bundle bundle1\ncosign sign-blob blob2 --bundle bundle2\n```\nCreate a falsified bundle including the base64Signature and cert fields from bundle1 and the rekorBundle from bundle2:\n```\njq --slurpfile bundle2 bundle2 \u0027.rekorBundle = $bundle2[0].rekorBundle\u0027 bundle1 \u003e invalidBundle\n```\nNow, the falsified bundle can be used to verify blob1:\n```\n$ cosign verify-blob blob1 --bundle invalidBundle\ntlog entry verified offline\nVerified OK\n```\n\n### Patches\n\nUsers should update to the latest version of Cosign, `1.12.0`.\n\n### Workaround\n\nIf you extract the signature and certificate from the `bundle`, you may use it for verification as follows and avoid using an invalid bundle:\n```\n$ cosign verify-blob blob1 --signature $(jq -r \u0027.base64Signature\u0027 bundle1) --certificate $(jq -r \u0027.cert\u0027 bundle1)\n```\n\nNote that this will make a network call to Rekor to fetch the Rekor entry. However, you may then be subject to Vulnerability 4.\n\n## Vulnerability 2: Certificate Identities are not checked in some cases\n\n### Summary \n\nWhen providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked.\n\n### Details\n\nUsers who provide an offline Rekor bundle (`--bundle`) when verifying a blob using `cosign verify-blob` and include flags that check identity such as `--certificate-email` and `--certificate-oidc-issuer` are impacted. Additionally, users who provide the GitHub Actions verification flags such as `--certificate-github-workflow-name` when running `cosign verify-blob` without a bundle, key reference, or certificate are impacted. \n\nWhen providing these flags, Cosign ignored their values. If a certificate\u0027s identity did not match the provided flags, Cosign would still successfully verify the blob.\n\n### Patches\n\nUsers should update to the latest version of Cosign, `1.12.0`.\n\n### Workarounds\n\nThere are no workarounds, users should update.\n\n## Vulnerability 3: Invalid Rekor bundle without the experimental flag will result in successful verification\n\n### Summary\n\nProviding an invalid Rekor bundle without the experimental flag results in a successful verification.\n\n### Details\n\nUsers who provide an offline Rekor bundle (`--bundle`) that was invalid (invalid signed entry timestamp, expired certificate, or malformed) when verifying a blob with `cosign verify-blob` and do not set the `COSIGN_EXPERIMENTAL=1` flag are impacted.\n\nWhen an invalid bundle was provided, Cosign would fallback to checking Rekor log inclusion by requesting proof of inclusion from the log. However, without the `COSIGN_EXPERIMENTAL` flag, Cosign would exit early and successfully verify the blob. \n\n### Patches\n\nUsers should update to the latest version of Cosign, `1.12.0`.\n\n### Workarounds\n\nThere are no workarounds, users should update.\n\n## Vulnerability 4: Invalid transparency log entry will result in successful verification\n\n### Summary\n\nAn invalid transparency log entry will result in immediate success for verification.\n\n### Details\n\nUsers who provide a signature and certificate to `verify-blob` will fetch the associated Rekor entry for verification. If the returned entry was invalid (invalid signed entry timestamp, invalid inclusion proof, malformed entry with missing verification), then `cosign` [exits](https://github.com/sigstore/cosign/blob/42c6e2a6dd9d92d19077c8e6b7d66d155a5ea28c/cmd/cosign/cli/verify/verify_blob.go#L357) early and succeeds unconditionally.\n\n### Patches\n\nUsers should update to the latest version of Cosign, `1.12.0`.\n\n### Workarounds\n\nThere are no workarounds, users should update.\n\n\n## For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [cosign](https://github.com/sigstore/cosign)\n* Send us a message on [Slack](https://sigstore.slack.com/).\n",
"id": "GHSA-8gw7-4j42-w388",
"modified": "2024-05-20T21:33:21Z",
"published": "2022-09-16T19:13:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25"
},
{
"type": "PACKAGE",
"url": "https://github.com/sigstore/cosign"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/releases/tag/v1.12.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature"
}
gsd-2022-36056
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-36056",
"description": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.",
"id": "GSD-2022-36056",
"references": [
"https://access.redhat.com/errata/RHSA-2022:8827",
"https://www.suse.com/security/cve/CVE-2022-36056.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-36056"
],
"details": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.",
"id": "GSD-2022-36056",
"modified": "2023-12-13T01:19:21.752256Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36056",
"STATE": "PUBLIC",
"TITLE": " Vulnerabilities with blob verification in sigstore cosign"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cosign",
"version": {
"version_data": [
{
"version_value": "\u003c 1.12.0"
}
]
}
}
]
},
"vendor_name": "sigstore"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-347: Improper Verification of Cryptographic Signature"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388",
"refsource": "CONFIRM",
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
},
{
"name": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25",
"refsource": "MISC",
"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25"
}
]
},
"source": {
"advisory": "GHSA-8gw7-4j42-w388",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=v1.11.1",
"affected_versions": "All versions up to 1.11.1",
"cwe_ids": [
"CWE-1035",
"CWE-347",
"CWE-937"
],
"date": "2022-09-16",
"description": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.",
"fixed_versions": [
"v1.12.0"
],
"identifier": "CVE-2022-36056",
"identifiers": [
"GHSA-8gw7-4j42-w388",
"CVE-2022-36056"
],
"not_impacted": "All versions after 1.11.1",
"package_slug": "go/github.com/sigstore/cosign",
"pubdate": "2022-09-16",
"solution": "Upgrade to version 1.12.0 or above.",
"title": "Improper Verification of Cryptographic Signature",
"urls": [
"https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388",
"https://nvd.nist.gov/vuln/detail/CVE-2022-36056",
"https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25",
"https://github.com/sigstore/cosign/releases/tag/v1.12.0",
"https://github.com/advisories/GHSA-8gw7-4j42-w388"
],
"uuid": "a1775529-7fe9-441f-a726-6fc425e25e15",
"versions": [
{
"commit": {
"sha": "3650371a9091d04469f953bb527bcf771ebc916a",
"tags": [
"v1.11.1"
],
"timestamp": "20220824150932"
},
"number": "v1.11.1"
},
{
"commit": {
"sha": "3249ce8b4c3cbb7c128a27114b6d50673c20fcf4",
"tags": [
"v1.12.0"
],
"timestamp": "20220914154115"
},
"number": "v1.12.0"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.12.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36056"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25"
},
{
"name": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-09-19T18:11Z",
"publishedDate": "2022-09-14T20:15Z"
}
}
}
rhsa-2022_8827
Vulnerability from csaf_redhat
Published
2022-12-06 14:00
Modified
2025-01-05 22:35
Summary
Red Hat Security Advisory: RHACS 3.73 enhancement and security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Release of RHACS 3.73 provides these changes:
New features:
* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.
* Improved Vulnerability Management dashboard for ACSCS users.
* PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.
* A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.
Notable technical changes:
* RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
* Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)
* The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.
* The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.
Notice of in-product docs removal:
* Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)
Bug fixes:
* Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)
* Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)
Security Fix(es):
* imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)
* app-containers/cosign: false positive verification (CVE-2022-36056)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of RHACS 3.73 provides these changes:\n\nNew features:\n\n* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.\n* Improved Vulnerability Management dashboard for ACSCS users.\n* PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.\n* A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.\n\nNotable technical changes:\n\n* RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.\n* Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)\n* The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.\n* The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.\n\nNotice of in-product docs removal:\n\n* Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)\n\nBug fixes:\n\n* Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)\n* Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)\n\nSecurity Fix(es):\n\n* imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)\n\n* app-containers/cosign: false positive verification (CVE-2022-36056)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:8827",
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#low",
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "https://docs.openshift.com/acs/3.73/release_notes/373-release-notes.html",
"url": "https://docs.openshift.com/acs/3.73/release_notes/373-release-notes.html"
},
{
"category": "external",
"summary": "2069368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069368"
},
{
"category": "external",
"summary": "2128820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128820"
},
{
"category": "external",
"summary": "ROX-13687",
"url": "https://issues.redhat.com/browse/ROX-13687"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8827.json"
}
],
"title": "Red Hat Security Advisory: RHACS 3.73 enhancement and security update",
"tracking": {
"current_release_date": "2025-01-05T22:35:34+00:00",
"generator": {
"date": "2025-01-05T22:35:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.5"
}
},
"id": "RHSA-2022:8827",
"initial_release_date": "2022-12-06T14:00:32+00:00",
"revision_history": [
{
"date": "2022-12-06T14:00:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-12-06T14:00:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-01-05T22:35:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHACS 3.73 for RHEL 8",
"product": {
"name": "RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:advanced_cluster_security:3.73::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Security for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product_id": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.73.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.73.0-6"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-slim-rhel8\u0026tag=3.73.0-3"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8\u0026tag=3.73.0-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24778",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2022-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2069368"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. This flaw allows an attacker to run an image without providing the previously decrypted keys.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Only Fedora is using the affected codebase. Hence, marking other products as of Low impact as they are using an affected version of \u0027imgcrypt\u0027 as a transitive dependency.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24778"
},
{
"category": "external",
"summary": "RHBZ#2069368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069368"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24778"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24778",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24778"
},
{
"category": "external",
"summary": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm",
"url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"
}
],
"release_date": "2022-03-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-06T14:00:32+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path"
},
{
"cve": "CVE-2022-36056",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2022-09-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2128820"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in cosign, where it incorrectly verified an artifact when the embedded rekorBundle does not reference the given signature. This flaw allows an attacker to exploit integrity and confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "app-containers/cosign: false positive verification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36056"
},
{
"category": "external",
"summary": "RHBZ#2128820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36056",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056"
},
{
"category": "external",
"summary": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388",
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
}
],
"release_date": "2022-09-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-06T14:00:32+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "app-containers/cosign: false positive verification"
}
]
}
rhsa-2022:8827
Vulnerability from csaf_redhat
Published
2022-12-06 14:00
Modified
2025-02-07 01:57
Summary
Red Hat Security Advisory: RHACS 3.73 enhancement and security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Release of RHACS 3.73 provides these changes:
New features:
* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.
* Improved Vulnerability Management dashboard for ACSCS users.
* PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.
* A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.
Notable technical changes:
* RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
* Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)
* The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.
* The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.
Notice of in-product docs removal:
* Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)
Bug fixes:
* Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)
* Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)
Security Fix(es):
* imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)
* app-containers/cosign: false positive verification (CVE-2022-36056)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of RHACS 3.73 provides these changes:\n\nNew features:\n\n* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.\n* Improved Vulnerability Management dashboard for ACSCS users.\n* PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.\n* A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.\n\nNotable technical changes:\n\n* RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.\n* Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)\n* The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.\n* The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.\n\nNotice of in-product docs removal:\n\n* Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)\n\nBug fixes:\n\n* Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)\n* Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)\n\nSecurity Fix(es):\n\n* imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)\n\n* app-containers/cosign: false positive verification (CVE-2022-36056)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:8827",
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#low",
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "https://docs.openshift.com/acs/3.73/release_notes/373-release-notes.html",
"url": "https://docs.openshift.com/acs/3.73/release_notes/373-release-notes.html"
},
{
"category": "external",
"summary": "2069368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069368"
},
{
"category": "external",
"summary": "2128820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128820"
},
{
"category": "external",
"summary": "ROX-13687",
"url": "https://issues.redhat.com/browse/ROX-13687"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8827.json"
}
],
"title": "Red Hat Security Advisory: RHACS 3.73 enhancement and security update",
"tracking": {
"current_release_date": "2025-02-07T01:57:33+00:00",
"generator": {
"date": "2025-02-07T01:57:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.3.0"
}
},
"id": "RHSA-2022:8827",
"initial_release_date": "2022-12-06T14:00:32+00:00",
"revision_history": [
{
"date": "2022-12-06T14:00:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-12-06T14:00:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-02-07T01:57:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHACS 3.73 for RHEL 8",
"product": {
"name": "RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:advanced_cluster_security:3.73::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Security for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product_id": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.73.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.73.0-6"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-slim-rhel8\u0026tag=3.73.0-3"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8\u0026tag=3.73.0-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24778",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2022-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2069368"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. This flaw allows an attacker to run an image without providing the previously decrypted keys.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Only Fedora is using the affected codebase. Hence, marking other products as of Low impact as they are using an affected version of \u0027imgcrypt\u0027 as a transitive dependency.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24778"
},
{
"category": "external",
"summary": "RHBZ#2069368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069368"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24778"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24778",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24778"
},
{
"category": "external",
"summary": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm",
"url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"
}
],
"release_date": "2022-03-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-06T14:00:32+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path"
},
{
"cve": "CVE-2022-36056",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2022-09-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2128820"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in cosign, where it incorrectly verified an artifact when the embedded rekorBundle does not reference the given signature. This flaw allows an attacker to exploit integrity and confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "app-containers/cosign: false positive verification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36056"
},
{
"category": "external",
"summary": "RHBZ#2128820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36056",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056"
},
{
"category": "external",
"summary": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388",
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
}
],
"release_date": "2022-09-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-06T14:00:32+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "app-containers/cosign: false positive verification"
}
]
}
RHSA-2022:8827
Vulnerability from csaf_redhat
Published
2022-12-06 14:00
Modified
2025-02-07 01:57
Summary
Red Hat Security Advisory: RHACS 3.73 enhancement and security update
Notes
Topic
Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Release of RHACS 3.73 provides these changes:
New features:
* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.
* Improved Vulnerability Management dashboard for ACSCS users.
* PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.
* A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.
Notable technical changes:
* RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
* Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)
* The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.
* The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.
Notice of in-product docs removal:
* Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)
Bug fixes:
* Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)
* Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)
Security Fix(es):
* imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)
* app-containers/cosign: false positive verification (CVE-2022-36056)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of RHACS 3.73 provides these changes:\n\nNew features:\n\n* Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.\n* Improved Vulnerability Management dashboard for ACSCS users.\n* PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.\n* A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.\n\nNotable technical changes:\n\n* RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.\n* Sensor no longer uses `anyuid` Security Context Constraint (SCC). Instead, the default SCC for Sensor is now `restricted[-v2]` or `stackrox-sensor`, depending on the settings. In addition, the `runAsUser` and `fsGroup` for the Admission control and Sensor deployments are no longer hard-coded to `4000` on OpenShift clusters to allow using the `restricted` and `restricted-v2` SCCs. (ROX-9342)\n* The service account `central`, which the Central deployment uses, now includes `get` and `list` access to the pods, events, and namespaces resources in the namespace where you deploy Central.\n* The CSV export API `/api/vm/export/csv` now requires the `CVE Type` filter as part of the input query parameter. Supported values for `CVE Type` are `IMAGE_CVE`, `K8S_CVE`, `ISTIO_CVE`, `NODE_CVE`, and `OPENSHIFT_CVE`.\n\nNotice of in-product docs removal:\n\n* Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)\n\nBug fixes:\n\n* Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the `ocp4-cis-node` compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the `ocp4-cis-node` compliance standard results. (ROX-11937)\n* Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)\n\nSecurity Fix(es):\n\n* imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)\n\n* app-containers/cosign: false positive verification (CVE-2022-36056)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:8827",
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#low",
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"category": "external",
"summary": "https://docs.openshift.com/acs/3.73/release_notes/373-release-notes.html",
"url": "https://docs.openshift.com/acs/3.73/release_notes/373-release-notes.html"
},
{
"category": "external",
"summary": "2069368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069368"
},
{
"category": "external",
"summary": "2128820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128820"
},
{
"category": "external",
"summary": "ROX-13687",
"url": "https://issues.redhat.com/browse/ROX-13687"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8827.json"
}
],
"title": "Red Hat Security Advisory: RHACS 3.73 enhancement and security update",
"tracking": {
"current_release_date": "2025-02-07T01:57:33+00:00",
"generator": {
"date": "2025-02-07T01:57:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.3.0"
}
},
"id": "RHSA-2022:8827",
"initial_release_date": "2022-12-06T14:00:32+00:00",
"revision_history": [
{
"date": "2022-12-06T14:00:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-12-06T14:00:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-02-07T01:57:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHACS 3.73 for RHEL 8",
"product": {
"name": "RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:advanced_cluster_security:3.73::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Cluster Security for Kubernetes"
},
{
"branches": [
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product_id": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product_id": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8\u0026tag=3.73.0-2"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product_id": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-docs-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product_id": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product_id": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-operator-bundle\u0026tag=3.73.0-6"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product_id": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-rhel8-operator\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product_id": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8\u0026tag=3.73.0-4"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-slim-rhel8\u0026tag=3.73.0-3"
}
}
},
{
"category": "product_version",
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product_id": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d?arch=amd64\u0026repository_url=registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8\u0026tag=3.73.0-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64 as a component of RHACS 3.73 for RHEL 8",
"product_id": "8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
},
"product_reference": "advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64",
"relates_to_product_reference": "8Base-RHACS-3.73"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24778",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2022-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2069368"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. This flaw allows an attacker to run an image without providing the previously decrypted keys.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Only Fedora is using the affected codebase. Hence, marking other products as of Low impact as they are using an affected version of \u0027imgcrypt\u0027 as a transitive dependency.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24778"
},
{
"category": "external",
"summary": "RHBZ#2069368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069368"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24778"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24778",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24778"
},
{
"category": "external",
"summary": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm",
"url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"
}
],
"release_date": "2022-03-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-06T14:00:32+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path"
},
{
"cve": "CVE-2022-36056",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2022-09-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2128820"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in cosign, where it incorrectly verified an artifact when the embedded rekorBundle does not reference the given signature. This flaw allows an attacker to exploit integrity and confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "app-containers/cosign: false positive verification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
],
"known_not_affected": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36056"
},
{
"category": "external",
"summary": "RHBZ#2128820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36056",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056"
},
{
"category": "external",
"summary": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388",
"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388"
}
],
"release_date": "2022-09-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-06T14:00:32+00:00",
"details": "To take advantage of the new features, bug fixes, and enhancements in RHACS 3.73 you are advised to upgrade to RHACS 3.73.0.",
"product_ids": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8827"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-central-db-rhel8@sha256:83b7562687545ba41fedd5f5d6ed5403fe7a3a5cac3110e711cbe46dad2d26fd_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-rhel8@sha256:cc229c86ecb3d1e1b1af479041fa8e940c61e69dbc309c8e66de7945df5cc591_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-collector-slim-rhel8@sha256:7ad85567fea6d1c1b5ca6a360cb1565184df075bad61ffc8ce5ec0595273e733_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-docs-rhel8@sha256:87bf4d7e041d6e3197b1c23c58061f877434f6e550ddf516b6512be5309f89c3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-main-rhel8@sha256:82d8a9f94f291d6ee6f38668bc13e4830efc5b289754232d6e8a483043771da3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-operator-bundle@sha256:d496a827f223e5464a1b6c87168102df632643e1f8348a8abb1a5e9e226f00d2_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-rhel8-operator@sha256:1ef51b3cd89d4da166d8b9e1582fa7c0fc5415e0eb2f2c8ab18ec704d2bd74d8_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-roxctl-rhel8@sha256:61f027ae531f3e23f2394e7f93c397eda14ce1ad93e8c19d463cd301464147b5_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-rhel8@sha256:2dd59fe0134c5d2f239d6f96d6876ac687e0490e52ab41647842e3244623480c_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-db-slim-rhel8@sha256:38b7030affee05fd8cd8e947b89ff8b40962af45267e2ec0143f827c8e33eca3_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-rhel8@sha256:976ca1e50768c0c619d56b99d0660bf1885164cc3982136821650479946c904d_amd64",
"8Base-RHACS-3.73:advanced-cluster-security/rhacs-scanner-slim-rhel8@sha256:aefb2507e2c8a68ca457c0f208ea2cc24ae52a694c03e2c85ffd172f6673f18d_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "app-containers/cosign: false positive verification"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.