Red Hat Advanced Cluster Security for Kubernetes 3.68

ROX-10845: CVE-2022-1902: GraphQL exposes Notifiers secrets.

ROX-9243: In RHACS 3.68.0, Central would sometimes stop responding if the vulnerability data was not available. This issue has been fixed. Central now reports an error for such cases.

ROX-8709: Previously, searching for CVEs with a specific severity did not returned any results. This issue has been fixed.

ROX-8983: Previously, when configuring the Manage Watches feature, if you added more than 12 images to the watch list, the image list did not display properly. This issue has been fixed.

ROX-8276: Previously, when the RHACS Operator accessed the central-htpasswd secret, it created a false positive policy violation for the OpenShift: Advanced Cluster Security Central Admin Secret Accessed default policy. This issue has been fixed.

RHACS 3.68 includes updates for the Log4Shell vulnerability detection policy. With this update this policy also detects CVE-2021-45046, and it includes the updated remediation based on the latest guidance by the Apache Logging security team.

Before this release, snoozing CVEs required write permission for the Images resource. Beginning with RHACS 3.68:

When you upgrade to RHACS 3.68, roles that include write access on the Images resource will have write permissions for both VulnerabilityManagementRequests and VulnerabilityManagementApprovals resource. Red Hat recommends updating the roles to only include the least amount of resources required for each role.

If you installed Red Hat Advanced Cluster Security for Kubernetes using Helm, this update disabled the cluster configuration options in the RHACS portal. You can continue to use Helm configuration files.

RHACS 3.68 sends notifications for every runtime policy violation rather than sending notifications only the first encountered violation. This is the default behavior. To change it, you must set the NOTIFY_EVERY_RUNTIME_EVENT to false.

Red Hat has moved the following images to new repositories:

Tags of the scanner, scanner-db, and collector images, including the collector-slim variant, are now identical to the main image tag. In addition, all these tags now match the version of Red Hat Advanced Cluster Security for Kubernetes. For example, a scanner image for RHACS 3.68.0 is now identified as registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.68.0 and stackrox.io/scanner:3.68.0. Make sure you follow the same versioning scheme when you upgrade manually.

Red Hat has changed the image names for collector-slim. -slim is no longer part of the image tag. Collector Slim image for the release 3.68.0 is identified as registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:3.68.0 and collector.stackrox.io/collector-slim:3.68.0.

Scanner DB image at registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8 is now based on rhel8/postgresql-12.

The roxctl CLI includes a new --image-defaults option for the roxctl helm output and roxctl central generate commands. It allows selecting the default registry from which container images are taken for deploying central and scanner.

Red Hat has deprecated the --rhacs option for the roxctl helm output command. Use --rhacs-image-defaults option instead.

By default, the roxctl helm output command now uses the images from registry.redhat.io rather than stackrox.io.