Red Hat SummitRelease notes
Highlights what is new and what has changed with Red Hat Advanced Cluster Security for Kubernetes releases
Abstract
Chapter 1. Red Hat Advanced Cluster Security for Kubernetes 4.7
Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.
| RHACS version | Released on |
|---|---|
|
| 17 March 2025 |
|
| 31 March 2025 |
|
| 15 April 2025 |
|
| 15 May 2025 |
|
| 11 June 2025 |
|
| 22 July 2025 |
|
| 19 August 2025 |
|
| 30 September 2025 |
|
| 6 November 2025 |
|
| 16 December 2025 |
1.1. About release 4.7.0
RHACS 4.7 includes the following new features, improvements, and updates:
- External integrations
- Documentation
- Network
- Platform
- Protect secured clusters running on Red Hat OpenShift on IBM Cloud
- Automatic certificate rotation for secured clusters
- Cluster Registration Secret for secured cluster bootstrapping
- Machine-to-machine authentication by using Microsoft Entra ID
- Use the short-lived OIDC credentials from Microsoft Azure
- Policy
- Vulnerability Management
1.2. New features
This release adds improvements related to the following components and concepts:
1.2.1. Scan the container images in the GitHub Container Registry
With RHACS 4.7, you can integrate with the GitHub Container Registry (GHCR) to scan container images stored in ghcr.io. RHACS now includes a default integration that supports both public and private GHCR instances to secure your containerized workloads.
For more information, see Manually configuring GitHub Container Registry.
1.2.2. Enhanced visibility for the OpenShift Container Platform component CVEs
RHACS 4.7 introduces improved visibility for the OpenShift Container Platform component Common Vulnerabilities and Exposures (CVEs). You can now view these CVEs separately to assess and manage security risks.
To view the platform CVEs, click Vulnerability Management → Results in the RHACS portal, and then click the Platform tab.
1.2.3. Machine-to-machine authentication by using Microsoft Entra ID
In RHACS 4.7, you can now enable machine-to-machine authentication by using short-lived RHACS Central tokens when you use Microsoft Entra ID, formerly known as Azure AD, as the OpenID Connect (OIDC) identity provider for your enterprise. You can exchange ID tokens with access tokens from RHACS Central. Microsoft Entra ID issues these ID tokens to your application’s service principals, and you can then use the RHACS access tokens to securely authenticate to the RHACS APIs.
For more information about how to exchange an identity token, see Exchanging an identity token.
For more information about how to use the Azure Entra ID service principals for machine to machine authentication with RHACS, see Using Azure Entra ID service principals for machine to machine auth with RHACS.
1.2.4. View the violation status directly on the Violations page
With RHACS 4.7, you can now see the status of a violation directly on the Violations page so that you can quickly determine whether the violation is still active. This streamlines automation workflows, such as creating a Jira ticket and sending it to an owner who does not use RHACS regularly.
By following the link in the ticket, the owner can immediately see if the violation is still relevant, reducing the risk of unnecessary delays or deprioritization. In addition, the page provides the full context of the violation and ensures that all relevant details are immediately available.
1.2.5. Prioritize CVEs with the EPSS integration
RHACS 4.7 introduces integration with the Exploit Prediction Scoring System (EPSS), a data-driven model that estimates the likelihood of a software vulnerability being exploited.
In addition to the severity and Common Vulnerability Scoring System (CVSS) score, an EPSS probability score from 0%-100% is now displayed for detected Common Vulnerabilities and Exposures (CVEs). You can use the EPSS score to better prioritize the remediation of CVE vulnerabilities and strengthen your security strategy.
For more information, see Prioritizing the vulnerabilities.
1.2.6. Enhanced visibility into the external IPs in the network graph
With RHACS 4.7, you can now get a better insight into the external IPs behind external entities in the network graph.
Visualizing external entities is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
This enhancement helps you identify the specific IP addresses that your deployments are communicating with and gives you better insight into the external interactions and potential risks.
For more information, see Visualizing external entities.
1.2.7. Enhanced options for the roxctl netpol generate command
In RHACS 4.7, the roxctl netpol generate command automatically detects when DNS connections are required and generates them accordingly. If you do not specify a port, port 53 is selected automatically, but you can change this by using the --dnsport flag. The --dnsport flag also accepts port names in addition to numbers. For example,--dnsport dns.
You can use port names as a more robust method of specifying the port if the service has a defined name. If you are a Red Hat OpenShift customer and use the default DNS setting, you should use the --dnsport flag to change the default port, as the OpenShift DNS pod listens on port 5353.
For more information, see roxctl netpol generate.
1.2.8. Integrate vulnerability findings into the Red Hat Developer Hub
In RHACS 4.7, you can now bring vulnerability findings directly into the Red Hat Developer Hub (RHDH) and other platforms based on the upstream Backstage project by using the Backstage Plugin.
Integration of vulnerability findings into the RHDH is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
You can incorporate the RHACS plugin into your developer environment and review key vulnerabilities for your applications within the platform. This provides information that you need before you can take the necessary remediation actions.
For more information, see Viewing security information in Red Hat Developer Hub.
1.2.9. Generate SBOMs from the scanned container images
With RHACS 4.7, you can now generate a Software Bill of Materials (SBOM) from the scanned container images.
Generation of SBOMs from the scanned container images is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
These SBOMs give you a detailed overview of all software components, dependencies, and libraries within your application. RHACS creates SBOMs of the Analyzed type and complies with the Software Package Data Exchange (SPDX) 2.3 specification.
For more information about the SBOMs of the Analyzed type, see Types of SBOM Documents (America’s Cyber Defense Agency documentation).
For more information about how to use RHACS to generate SBOMs, see Generating SBOMs from scanned images.
Generating SBOMs from images analyzed through secured clusters by using the delegated scanning feature is currently not supported. It is anticipated that an upcoming release will support this feature.
1.2.10. Automatic certificate rotation for secured clusters
RHACS 4.7 introduces automatic certificate rotation for the secured cluster components, which ensures secure communication between Sensor, Admission Controller, and Collector within the cluster. Sensor also uses these certificates for a secure certificate-based architecture (mTLS) connection with Central.
For more information about the automatic certificate renewal, see Reissuing internal certificates for secured clusters by using automatic certificate renewal.
1.2.11. Cluster Registration Secret for secured cluster bootstrapping
In RHACS 4.7, you can now use the Cluster Registration Secret (CRS) to bootstrap a secured cluster and register it with Central.
Cluster Registration Secret is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Unlike previous methods, CRS separates the bootstrap credentials from the operational certificates so that the cluster continues to work even if the bootstrap credentials are revoked. You can generate the CRS by using the roxctl CLI commands and revoke it if required.
RHACS 4.7 supports both the init bundle and CRS, but in a future release the init bundle will be deprecated in favor of CRS.
For more information, see:
1.2.12. Protect secured clusters running on Red Hat OpenShift on IBM Cloud
In RHACS 4.7, you can now protect Red Hat OpenShift on IBM Cloud and run secured clusters on Red Hat OpenShift on IBM Cloud.
1.2.13. Use the short-lived OIDC credentials from Microsoft Azure
With RHACS 4.7, you can now use short-lived OpenID Connect (OIDC) credentials. The Microsoft Azure Identity Provider provides these credentials, and you can use these credentials to access the services in Microsoft Azure, such as the Azure Container Registry and Azure Sentinel.
This feature builds on the RHACS 4.4 release, which introduced the ability to use short-lived OIDC credentials from Amazon Web Services (AWS) and Google Cloud Platform (GCP) cloud providers to authenticate to the services hosted on these platforms.
For more information, see Manually configuring Microsoft Azure Container Registry.
1.3. Notable technical changes
This release contains the following changes:
- Scanner V4 now uses Red Hat VEX files instead of the Common Vulnerabilities and Exposures (CVE) map to provide vulnerability data for non-RPM content in official Red Hat images.
You can no longer set the
ROX_NODE_INDEX_CONTAINER_APIenvironment variable in the Compliance pod. The node scanner never used this variable because the node scanner never connected to the Red Hat Container Catalog.To enable node scanning with Scanner V4 while the nodes continue to be scanned in parallel with Scanner V2, update the variable ROX_NODE_INDEX_ENABLED variable from a Boolean setting to a feature flag. This change ensures that the RHACS portal can access the setting through the Central API.
By default, Central with Scanner V4 prioritizes Scanner V4 scans, while StackRox Scanner V2 remains operational without any changes. You can manually enable or disable Scanner V4 and StackRox Scanner V2 for node scanning without affecting image scanning.
For more information, see Vulnerability management overview.
stackrox.ioContent Delivery Network (CDN) has been moved from CloudFlare to Akamai. When configuring firewall rules, use the hostname instead of the IP addresses. If you previously allowed the IP ranges tostackrox.io, you must update these rules.The following values are associated with a stable subset of Akamai Classless Inter-Domain Routings (CIDRs):
-
2.16.0.0/13 -
23.0.0.0/12 -
23.32.0.0/11 -
23.192.0.0/11 -
66.198.8.0/24 -
95.100.0.0/15 -
96.7.74.0/24 -
104.117.66.0/24 -
168.143.242.0/24 -
168.143.243.0/24 -
184.24.0.0/13
-
-
You now use the
networking.externalIps.enabledsetting instead ofnetworking.externalIps.enablein thecollector-configConfigMap for the Collector runtime configuration. You also define it as an enum with the valid valuesENABLEDandDISABLED, and the default value isDISABLED.
1.4. Documentation updates
The documentation for the System Health dashboard page has been updated to show you how to monitor component health, view administration usage, manage platform data and track system status.
For more information, see Analyzing and managing the system health information.
- It is currently planned for Compliance 1.0 to be deprecated in RHACS 4.9.
1.5. Deprecated and removed features
Some features available in earlier releases have been deprecated or removed.
Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional removed or deprecated functionality is available after the table.
In the table, features are marked with the following statuses:
- GA: General Availability
- TP: Technology Preview
- DEP: Deprecated
- REM: Removed
- NA: Not applicable
| Feature | RHACS 4.5 | RHACS 4.6 | RHACS 4.7 |
|---|---|---|---|
| API token authentication for Red Hat OpenShift Cluster Manager[1] | GA | DEP | DEP |
|
| DEP | DEP | DEP |
| Google Container Registry integration[2] | GA | DEP | DEP |
| Kernel support packages and driver download functionality [3] | DEP | DEP | DEP |
| Reporting of Istio vulnerabilities | DEP | DEP | DEP |
|
| DEP | DEP | REM |
| StackRox Scanner | GA | DEP | DEP |
|
| DEP | DEP | DEP |
|
| DEP | DEP | DEP |
|
| DEP | DEP | DEP |
|
| DEP | DEP | DEP |
|
| DEP | DEP | DEP |
| Vulnerability Management (1.0) menu item[7] | DEP | DEP | DEP |
| Vulnerability Report Creator permission | DEP | DEP | DEP |
| Scanner V4 support for openSUSE Leap 15.0 and 15.1[8] | GA | DEP | REM |
- API token authentication is deprecated. The corresponding cloud source integration now uses service accounts for authentication.
The Google Container Registry integration is deprecated in response to the deprecation of Container Registry. You can use the Artifact Registry as a registry replacement and Scanner V4 as a scanner replacement.
For more information, see Transition from Container Registry (Google Cloud documentation).
- Kernel support packages and driver download functionality are deprecated.
-
The
rhacs-collector-slim*image is deprecated and has been removed in RHACS 4.7.0.rhacs-collector*image used to contain kernel modules and eBPF probes, but RHACS no longer needs those items. Therhacs-collector*and therhacs-collector-slim*images are now functionally the same. -
A feature flag controls this API object, and you can enable or disable this API object by using the
ROX_VULN_MGMT_LEGACY_SNOOZEenvironment variable. The format for specifying duration in JSON requests to
v1/nodecves/suppress,v1/clustercves/suppress, andv1/imagecves/suppresshas been changed to the ProtoJSON format. Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by thessuffix is supported.For example,
0.300s,-5400s, or9900s. The previously valid time units ofns,us,µs,ms,m, andhare no longer supported.- The Vulnerability Management → Dashboard view is deprecated and is planned to be removed in a future release. You can use the User workload vulnerabilities, Exception management, Platform vulnerabilities, and Node CVEs views as alternatives.
- Scanner V4 support for openSUSE Leap 15.0 and 15.1 is deprecated and has been removed in RHACS 4.7.0.
1.6. Bug fixes in version 4.7.0
Release date: 3 March 2025
-
Before this update, reports remained in the
DOWNLOADstate even after they were downloaded. This issue is now fixed.
Before this update, the logs repeatedly displayed the following error message:
[Throttled] Could not determine network namespace: No such file or directoryThis issue occurred when the system reported errors when encountering zombie processes. With this update, the system now specifically recognizes zombie processes and adjusts the message level to a less strict classification. However, the system can still trigger an error if the detection of zombie processes exceeds a certain threshold, helping to identify faulty workloads.
Before this update, the Central logs were not rotated, which caused the log file for RHACS to grow indefinitely and eventually take up the entire node memory. This issue occurred because
/var/log/stackroxwas mounted by using anemptyDirvolume, which does not persist across pod restarts and has no built-in log rotation.With this update, logs are deleted and the
emptyDirvolume is recreated when you restart the Central pod. A log size limit has been introduced to prevent excessive memory usage and to ensure that the Central logs do not overload the node.
Before this update, Central might have filtered out selected
storage.IndexReportmessages representing the state of the RPM packages on a Red Hat Enterprise Linux CoreOS (RHCOS) node due to missing timestamps.This caused issues in RHACS 4.6.0 and 4.6.1 when testing the technical preview feature of RHCOS node scanning with Scanner V4. With this update, the filter logic in Central has been adjusted to ensure that
IndexReportmessages are processed correctly over time.
- Before to this update, the RHACS portal incorrectly validated Slack webhook URLs and blocked the Mattermost integration due to strict regex rules. With this update, the regex check has been removed to allow for more flexible URL formats.
1.7. About release version 4.7.1
Release date: 31 March 2025
This release of RHACS includes the following bug fix:
- Fixed a bug in which Scanner V4 performed TLS validation even for integrations that had TLS validation disabled.
This release also addresses the following security vulnerabilities:
-
CVE-2025-22869 Flaw in the
golang.org/x/crypto/sshpackage. - CVE-2025-27144 Go JOSE’s parsing vulnerable to denial of service.
1.8. About release version 4.7.2
Release date: 15 April 2025
This release of RHACS contains the following change:
- A new policy criteria, "Days since CVE was published," was added. This criteria allows teams to design more sophisticated grace periods to fix CVEs based on the CVE published date.
It contains the following bug fix:
- Fixed an issue where verifying multi-signed images failed due to incorrect error handling.
It also addresses the following security vulnerabilities:
-
CVE-2024-21536 Denial of Service vulnerability in the
http-proxy-middlewarepackage. -
CVE-2025-30204 Excessive memory allocation during header parsing in
golang-jwtpackage. -
CVE-2024-57083 Denial of Service vulnerability in the
redocpackage.
1.9. About release version 4.7.3
Release date: 15 May 2025
This release of RHACS includes the following bug fixes:
- Fixed an issue where you could approve global exception requests without having the global access scope, potentially affecting clusters you don’t have access to.
- Fixed an issue where disabling TLS certificate validation in the email notifier settings did not skip TLS verification even if you selected the option.
-
Fixed an issue where API responses from Central would not include the
Content-LengthHTTP response header on successful requests, which could affect your integrations that rely on this header.
- Fixed an issue where the number of failed policies reported in Configuration Management for a deployment were calculated incorrectly.
- Before this update, the long-running GraphQL-based requests would time out. With this update, the default client timeout for GraphQL-based queries has been increased from 60 seconds to 180 seconds to avoid timeouts for long-running requests.
1.10. About release version 4.7.4
Release date: 11 June 2025
This release of RHACS 4.7 provides the following bug fixes:
-
Fixed an issue where images were mistakenly pruned when the inactive images retention value was set to
0. This action caused resetting of thefirstDiscoveredandfirstImageOccurrencevalues for CVEs. - Fixed an issue with the web portal where you could not scroll when assigning roles to an auth provider.
This release provides fixes for the following security issues:
-
zlib: Out-of-bounds pointer arithmetic in
inftrees.c(CVE-2016-9840) - krb5: Kerberos RC4-HMAC-MD5 checksum vulnerability (CVE-2025-3576)
1.11. About release version 4.7.5
Release date: 22 July 2025
This release of RHACS 4.7 provides the following bug fixes:
- Before this update, Scanner V4 falsely claimed not to support RHEL 10, although it always supported RHEL 10. Scanner V4 now correctly indicates that it supports RHEL 10.
-
Before this update, the failure of Sensor to call
stream.Recv()caused gRPC flow control to block image reprocessing every 4 hours. With this update, the reprocessing loop includes a timeout for sending messages to Sensors, which resolves the issue and resumes the image reprocessing as expected.
- Before this update, you could observe excessive logging of telemetry collection status, resulting in log spam. With this update, the telemetry collection has been configured to not emit repeated logs continuously, which resolves the issue and significantly reduces the log volume.
- Before this update, a flaw in the signature verification algorithm caused valid signatures to be reported as invalid if they had a certain payload format. With this update, the enhanced robustness of the algorithm resolves the issue, and the system can now correctly assess the validity of signatures.
This release provides fixes for the following security issues:
-
Flaw in
net/httpallowed request smuggling due to improper handling of bare line feed (LF) in chunked data (CVE-2025-22871)
1.12. About release version 4.7.6
Release date: 19 August 2025
This release of RHACS 4.7 provides the following bug fixes:
-
Before this update, the upgrade to Golang gRPC 1.67 and later caused problems with gRPC connections that affected multiple users. This issue prevented gRPC connections and blocked communications between Central and Sensor. With this release, the
GRPC_ENFORCE_ALPN_ENABLEDflag has been added in RHACS. The default value disables the Application-Layer Protocol Negotiation (ALPN) enforcement, and therefore allows the connection between Sensor and Central as well as the communication between the components.
This release also addresses the following security vulnerabilities:
- GNOME Glib flaw (CVE-2024-34397)
- Requests HTTP library flaw (CVE-2024-47081)
- Glib library flaws (CVE-2024-52533, CVE-2025-4373)
- Memory corruption flaw in SQLite (CVE-2025-6965)
- Flaw in libxslt (CVE-2025-7425)
- Double-free vulnerability in glibc (CVE-2025-8058)
- Flaw in libxml2 library (CVE-2025-32415)
- Perl standard library threads component flaw (CVE-2025-40909)
1.13. About release version 4.7.7
Release date: 30 September 2025
Starting with RHACS 4.7.7, you might notice changes to container image metadata, such as container labels or Software Bill of Materials (SBOM) contents and location, as the product images are now built and released by using different technologies. These changes do not affect product functionality, but they might impact your third-party integrations.
This release addresses the following issue:
-
Before this update, you might have experienced a consistently growing Central database that caused constant resizing of the persistent volume claim (PVC) or service interruptions from a
no space left on deviceerror. With this release, if you want to prevent the hashes table from growing, set the environment variableROX_HASH_FLUSH_INTERVALto0.
This release addresses the following security vulnerability:
- Flaw in the form-data dependency (CVE-2025-7783)
1.14. About release version 4.7.8
Release date: 6 November 2025
This release addresses the following security vulnerability:
- Lack of a data size check in the Axios dependency (CVE-2025-58754)
1.15. About release version 4.7.9
Release date: 16 December 2025
This release addresses the following bug fix:
- Fixed an issue that caused Central to panic and terminate Sensor connections when a Sensor sent an event type that was unknown to Central. This issue occurred specifically when Sensor version 4.9 ran with Central version 4.7 or 4.8 on an {ocp-virt} cluster. The fix ensures Central operates normally under these conditions and also improves future compatibility between Central version 4.9 and Sensor.
This release addresses the following security vulnerabilities:
- Incorrect default permissions assigned to critical directories in containerd (CVE-2024-25621)
-
libexpatexcessive memory allocation (CVE-2025-59375) - SQLite query causes memory corruption (CVE-2025-6965)
- Denial of service in CivetWeb (CVE-2025-9648)
-
Incorrect results returned from
Rows.Scanindatabase/sql(CVE-2025-47907)
1.16. Image versions
You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes (RHACS) images to your registry. The current version includes the following images:
| Image | Description | Current version |
|---|---|---|
| Main |
Includes Central, Sensor, Admission controller, and Compliance components. Also includes |
|
| Central DB | PostgreSQL instance that provides the database storage for Central. |
|
| Scanner | Scans images and nodes. |
|
| Scanner DB | Stores image scan results and vulnerability definitions. |
|
| Scanner V4 | Scans images. |
|
| Scanner V4 DB | Stores image scan results and vulnerability definitions for Scanner V4. |
|
| Collector | Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}