Red Hat Advanced Cluster Security for Kubernetes 4.4

Consistent and accurate scanning: Reliable vulnerability scan results across the entire Red Hat product ecosystem, Red Hat RHACS, and Red Hat Quay.

Expanded language and operating system support: Expanded support for Golang in language vulnerability scanning and inclusion of Oracle Linux, SUSE Linux Enterprise, and Photon OS in operating system scanning.

Comprehensive vulnerability database source: Adoption of OSV.dev as the vulnerability database source for all supported programming language packages. The RHACS Scanner V4 uses the OSV database available at OSV.dev under this license.

"StackRox Scanner settings" in Installing RHACS on Red Hat OpenShift

"Scanner V4" in Installing RHACS on other platforms

"General requirements" in Default resource requirements for Red Hat Advanced Cluster Security for Kubernetes

Recommended resource requirements for Red Hat Advanced Cluster Security for Kubernetes

Remediate deficiencies and export the results of compliance scans from the RHACS dashboard.

Create custom profiles.

Support workload compliance.

roxctl netpol generate - Generates Kubernetes network policies that meet your application’s requirements by analyzing your project’s YAML manifests in a local directory.

roxctl netpol connectivity map - Lists the connections allowed by the network policies in your project.

roxctl netpol connectivity diff - Lists the differences in allowed connections between two project versions.

The type of a service has been changed to or from a cluster IP address.

A deployment is restarted and receives a new pod IP address, causing the other communicating party to attempt to reach the old IP address.

A container attempts to communicate with a locally linked IP address.

You can run RHACS-secured clusters on a larger number of Linux operating systems that are not currently included in the support package.

You no longer need to update the Collector support packages if you are offline. By avoiding issues related to eBPF probe retrieval, such as the risk of losing the network connection or if the probe is not present, you can update a cluster smoothly.

Filter by component: Uses the component name to narrow down the vulnerabilities. For example, if the Ruby Action Pack contains the vulnerability, the component is actionpack.

Filter by component source: Identifies the type of software element that contains the vulnerability, such as NODEJS or OS. You can tailor your views to your specific needs.

The /v1/availableAuthProviders endpoint is deprecated and in future releases, ensure that you authenticate and have at least READ permission on the Access resource when interacting with the /v1/availableAuthProviders endpoint.

The /v1/tls-challenge endpoint is deprecated and in future releases, ensure that you have included proper authentication in all interactions with the /v1/tls-challenge endpoint.

The reporting of Istio vulnerabilities is deprecated and is planned to be removed in a future release.

Support for older helm versions has been removed. Rendering the helm charts stackrox-central-services and stackrox-secured-cluster-services now requires helm version 3.9.0 or later.

The sunburst widgets in the Compliance section have been removed.

The Docker CIS benchmark has been removed.

Custom stackrox-* security context constraints (SCCs) have been replaced with default SCCs.

In the helm and Operator installation modes, references to image pull secrets with specific names are no longer automatically added to service accounts. References are added for compatibility reasons if the secrets exist during installation or upgrade.

Fixed an issue where Sensor reduced the number of allocations required when evaluating process indicators, resulting in improved memory utilization in scenarios with a high volume of runtime events received simultaneously. In addition, the default maximum gRPC payload size has been increased from 12 MB to 24 MB.

Fixed an issue where the RHACS integration with Jira Cloud could cause issues during creation. With this update, Jira issues that RHACS creates are prioritized correctly and the default priority mappings on the integration creation page in the RHACS portal have been updated to match the default priorities of Jira.

Fixed an issue where an RHACS policy with inform and enforce on deployment did not work when the deployment was scaled up. RHACS has added deployments/scale in the resources and actions section of the validating webhook controller in the admission controller.

Previously, a hanging network caused a random flake issue when you run the test scenario to open the user profile. With this update, this issue has now been fixed to improve the reliability of the test execution.

Previously, there were issues with compliance trigger scan calls aborting after 60 seconds due to synchronous execution in the backend. Your current scan progress could be lost if you left and returned. This issue could affect you if you have numerous clusters and large data. The cause was the synchronous loading of data and the dependency on pending IDs, which are only determined during trigger scans.

Previously, editing a custom vulnerability report associated with a specific report scope in RHACS 4.1 resulted in the loss of the report scope reference and would trigger A report scope is required message.

Fixed an issue that prevented the filtering of newly added or updated policies by category by using the roxctl CLI.

Before this update, Collector pods on nodes with 128 or more cores would fail with a CrashLoopBackOff status due to issues with how the CO-RE BPF allocated kernel memory. The patch release fixes this issue.

This release updates the Scanner baseline vulnerability data to address changes made to the Red Hat security data feeds that were not compatible with earlier data from Scanner’s scheduled feed processing. This fixes various issues where vulnerabilities were detected for images containing packages that were incorrectly indicated as affected by a vulnerability.

This release fixes a crash and rendering error in the network graph that occurs when Central is running an RHACS release of 4.3.6 or earlier and Sensor is running an RHACS release of 4.4.0 or later.

This release includes a new environment variable, ROX_API_TOKEN_FILE, that you can use to pass your API’s token file path to the roxctl CLI.

In earlier RHACS versions, RHACS did not update the alerts when violations changed. This release fixes the issue, and RHACS correctly updates the alerts when violations change.

The default telemetry endpoint is now set to a Red Hat proxy.

Go has been updated to release 1.20.12.

The golang.org/x/net module has been updated from release v0.22.0 to v0.23.0.

Fixed an issue where Scanner V4 was unable to scan images from registries that have untrusted TLS certificates, even when TLS verification was set to skipped.

Updated Collector version to support Red Hat Enterprise Linux (RHEL) 9.4 and distributions that use Linux kernels later than v6.7-rc5.

Added additional database statistics to the diagnostic bundle to aid in troubleshooting.

The following Scanner packages have been updated:

Fixed an issue in RHACS 4.4.1 where the image scan cache of Sensor was skipped, causing additional load on image registries.

Fixed an issue in RHACS 4.4 where the Namespace filter was missing in the Violations page, which was previously available in RHACS 4.3 and is critical for efficient filtering of violations.

The policy introduced in RHACS 4.4 has been updated to reduce noise, especially when using Scanner V4.

The Denial of Service Vulnerability policy in the HTTP/2 protocol has been updated and is now disabled by default. To use this policy, you should clone the policy and add the criteria to the Fixable policy before enabling the policy.

This release updates the process to ensure that Sensor completes the TLS handshake during secret synchronization. If this does not happen, the process can freeze and leave Sensor with incomplete data stores and a corrupted state, even if Sensor appears healthy.

Fixed an issue where Sensor could not identify pull secrets because the annotation was changed from kubernetes.io/service-account.name to openshift.io/internal-registry-auth-token.service-account in OpenShift Container Platform.

Fixed an issue where policies incorrectly displayed an enforced value of Yes in the Configuration Management → Application & Infrastructure → Deployments page due to inconsistent status handling, while showing No in the Violations page.

Fixed an issue where vulnerability data differed between Vulnerability Management 2.0 and Vulnerability Management 1.0 due to inconsistencies in vulnerability reporting.

CVE-2024-3727: Fixed a vulnerability related to Scanner where the containers/image digest type did not guarantee a valid type.

CVE-2024-37298: Fixed a vulnerability in gorilla/schema that allowed a potential memory exhaustion attack due to sparse slice deserialization.

CVE-2024-6104: Fixed a vulnerability in go-retryablehttp where URLs might inadvertently write sensitive information to log files.