This advisory covers Red Hat Advanced Cluster Management for Kubernetes 2.11.4, which includes security enhancements and bug fixes. The key security fixes address three vulnerabilities: CVE-2024-45296, a ReDoS vulnerability caused by backtracking regular expressions; CVE-2024-45813, a ReDoS vulnerability in multiparametric routes; and CVE-2024-45801, an XSS vulnerability via prototype pollution. These vulnerabilities could impact the stability and security of the cluster management platform. The advisory provides updated container images that resolve these issues. No CVSS scores are provided, but Red Hat rates the impact as moderate. The advisory also lists multiple other CVEs fixed in this release and various functional bug fixes.

The vulnerabilities fixed in this release could allow denial of service through regular expression backtracking (ReDoS) and cross-site scripting (XSS) attacks via prototype pollution. These issues may affect the availability and security of the Red Hat Advanced Cluster Management for Kubernetes platform. The overall security impact is rated moderate by Red Hat Product Security. There are no known exploits in the wild at the time of this advisory. The vulnerabilities affect the 2.11.4 version and earlier versions of the product.

Red Hat has released updated container images for Advanced Cluster Management for Kubernetes 2.11.4 that address these vulnerabilities. Users should apply this update after ensuring all previously released errata are applied. The vendor advisory does not indicate any temporary workarounds or that no action is required; therefore, updating to the fixed version is the recommended remediation. Patch status is confirmed by the vendor advisory as an official fix available in version 2.11.4.