Lucene search

RedHatRHSA-2022:8827

HistoryDec 06, 2022 - 1:04 p.m.

(RHSA-2022:8827) Low: RHACS 3.73 enhancement and security update

2022-12-0613:04:45

access.redhat.com

rhacs enhancement

acscs field trial

postgresql tech preview

network policy generator

graphql

security context constraint

csv export

in-product docs removal

bug fixes

imgcrypt security fix

cosign security fix

0.005 Low

EPSS

Percentile

76.3%

JSON

Release of RHACS 3.73 provides these changes:

New features:

Red Hat Advanced Cluster Security Cloud Service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments. ACSCS is available as a Field Trial release. For more information about accessing ACSCS, contact Red Hat Sales.
Improved Vulnerability Management dashboard for ACSCS users.
PostgreSQL database option is available as Technology Preview feature. If you are interested in participating in the Tech Preview program, contact your Red Hat account representative.
A new build-time network policy generator as Technology Preview feature, to generate Kubernetes network policies based on Application YAML manifests.

Notable technical changes:

RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
Sensor no longer uses anyuid Security Context Constraint (SCC). Instead, the default SCC for Sensor is now restricted[-v2] or stackrox-sensor, depending on the settings. In addition, the runAsUser and fsGroup for the Admission control and Sensor deployments are no longer hard-coded to 4000 on OpenShift clusters to allow using the restricted and restricted-v2 SCCs. (ROX-9342)
The service account central, which the Central deployment uses, now includes get and list access to the pods, events, and namespaces resources in the namespace where you deploy Central.
The CSV export API /api/vm/export/csv now requires the CVE Type filter as part of the input query parameter. Supported values for CVE Type are IMAGE_CVE, K8S_CVE, ISTIO_CVE, NODE_CVE, and OPENSHIFT_CVE.

Notice of in-product docs removal:

Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (ROX-12839)

Bug fixes:

Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the ocp4-cis-node compliance standard was missing from Splunk. This issue is now fixed. The Splunk integration now includes the ocp4-cis-node compliance standard results. (ROX-11937)
Previously, Central would fail on the v1 CronJob deployment check. This issue is fixed. (ROX-13500)

Security Fix(es):

imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778)
app-containers/cosign: false positive verification (CVE-2022-36056)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.