#kubernetes

Red Hat Security Advisory 2023-7690-03 - Red Hat OpenShift Container Platform release 4.11.55 is now available with updates to packages and images that fix several bugs and add enhancements.

Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another obj, the name of the obj itself will be used as the key, and the entire object structure will be integrated intact. When constructing the deployment instance of the app, env was found from the database and directly inserted into the template, resulting in controllability here. Sensitive information in the secret and configmap can be read through the k8s envFrom field. In a privatization environment, when `namespaceConf. fixed` is marked, it may lead to the leakage of sensitive information in the system. As of time of publication, it is unclear whether any patches or workarounds exist.

Red Hat Security Advisory 2023-7725-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes bug and security fixes.

In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.

### Impact When lakeFS is configured with **ALL** of the following: - Configuration option `auth.encrypt.secret_key` passed through environment variable - Actions enabled via configuration option `actions.enabled` (default enabled) then a user who can configure an action can impersonate any other user. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds **ANY ONE** of these is sufficient to prevent the issue: * Do not pass `auth.encrypt.secret_key` through an environment variable. For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described [here](https://kubernetes.io/docs/concepts/configuration/secret/#using-a-secret). * Disable actions. * Limit users allowed to configure actions.

Red Hat Security Advisory 2023-7710-03 - An update for windows-machine-config-operator-bundle-container and windows-machine-config-operator-container is now available for Red Hat OpenShift Container Platform 4.12. Issues addressed include a privilege escalation vulnerability.

Red Hat Security Advisory 2023-7709-03 - The components for Red Hat OpenShift for Windows Containers 8.1.1 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Issues addressed include a privilege escalation vulnerability.

Red Hat Security Advisory 2023-7703-03 - Red Hat OpenShift Pipelines 1.10.6 has been released. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7610-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7608-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements.