The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3929.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff




====================================================================
Red Hat Security Advisory

Synopsis:           Important: ACS 4.6 enhancement and security update
Advisory ID:        RHSA-2025:3929-03
Product:            Red Hat Advanced Cluster Security for Kubernetes
Advisory URL:       https://access.redhat.com/errata/RHSA-2025:3929
Issue date:         2025-04-16
Revision:           03
CVE Names:          CVE-2024-21536
====================================================================

Summary: 

Updated images are now available for Red Hat Advanced Cluster Security (RHACS).




Description:

This release of RHACS fixes the following bugs:

* Fixed an issue where Central could perform image scans even when delegated scanning was enabled, due to a race condition during Sensor reconnection.

* Fixed an issue where mismatched aggregation fields in Compliance tables and widgets caused inconsistent percentage displays.

* Fixed an issue where you ran into Google Kubernetes Engine (GKE) compatibility test failures because the tests still used a deprecated service in RHACS 4.6.

* Fixed an issue where you could see the Configuration Management page despite only having Alert permissions, resulting in role-based access control (RBAC) errors.

* Fixed an issue where verifying multi-signed images failed due to incorrect error handling.

This release of RHACS fixes the following security vulnerabilities:

CVE-2024-21536: Flaw in http-proxy-middleware allowed denial of service through unhandled promise rejections in micromatch.

CVE-2025-30204: Flaw in jwt-go allowed excessive memory allocation during header parsing, which could lead to a possible denial of service.

CVE-2024-57083: Flaw in redoc allowed prototypes in mergeObjects to be tainted, which allowed a denial of service through crafted payloads.


Solution:



CVEs:

CVE-2024-21536

References:

https://access.redhat.com/security/updates/classification/#important
https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.6/html/release_notes/release-notes-46
https://bugzilla.redhat.com/show_bug.cgi?id=2319884
https://bugzilla.redhat.com/show_bug.cgi?id=2354195
https://bugzilla.redhat.com/show_bug.cgi?id=2355865