-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh 2.1.2 security update Advisory ID: RHSA-2022:1275-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2022:1275 Issue date: 2022-04-07 CVE Names: CVE-2021-43824 CVE-2021-43825 CVE-2021-43826 CVE-2022-21654 CVE-2022-21655 CVE-2022-23606 CVE-2022-23635 CVE-2022-24726 ===================================================================== 1. Summary: Red Hat OpenShift Service Mesh 2.1.2 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 2.1 - noarch, ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Security Fix(es): * envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654) * envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655) * istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726) * envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824) * envoy: Use-after-free when response filters increase response data (CVE-2021-43825) * envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826) * envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606) * istio: unauthenticated control plane denial of service attack (CVE-2022-23635) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh Release Notes provide information on the features and known issues: https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 2050744 - CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match 2050746 - CVE-2021-43825 envoy: Use-after-free when response filters increase response data 2050748 - CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP 2050753 - CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation 2050757 - CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry 2050758 - CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service 2057277 - CVE-2022-23635 istio: unauthenticated control plane denial of service attack 2061638 - CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion 6. JIRA issues fixed (https://issues.jboss.org/): OSSM-1074 - Pod annotations defined in SMCP are not injected in the pods OSSM-1234 - RPM Release for Maistra 2.1.2 OSSM-303 - Control Openshift Route Creation for ingress Gateways 7. Package List: OpenShift Service Mesh 2.1: Source: servicemesh-2.1.2-4.el8.src.rpm servicemesh-operator-2.1.2-4.el8.src.rpm servicemesh-prometheus-2.23.0-5.el8.src.rpm servicemesh-proxy-2.1.2-4.el8.src.rpm servicemesh-ratelimit-2.1.2-4.el8.src.rpm noarch: servicemesh-proxy-wasm-2.1.2-4.el8.noarch.rpm ppc64le: servicemesh-2.1.2-4.el8.ppc64le.rpm servicemesh-cni-2.1.2-4.el8.ppc64le.rpm servicemesh-operator-2.1.2-4.el8.ppc64le.rpm servicemesh-pilot-agent-2.1.2-4.el8.ppc64le.rpm servicemesh-pilot-discovery-2.1.2-4.el8.ppc64le.rpm servicemesh-prometheus-2.23.0-5.el8.ppc64le.rpm servicemesh-proxy-2.1.2-4.el8.ppc64le.rpm servicemesh-proxy-debuginfo-2.1.2-4.el8.ppc64le.rpm servicemesh-proxy-debugsource-2.1.2-4.el8.ppc64le.rpm servicemesh-ratelimit-2.1.2-4.el8.ppc64le.rpm s390x: servicemesh-2.1.2-4.el8.s390x.rpm servicemesh-cni-2.1.2-4.el8.s390x.rpm servicemesh-operator-2.1.2-4.el8.s390x.rpm servicemesh-pilot-agent-2.1.2-4.el8.s390x.rpm servicemesh-pilot-discovery-2.1.2-4.el8.s390x.rpm servicemesh-prometheus-2.23.0-5.el8.s390x.rpm servicemesh-proxy-2.1.2-4.el8.s390x.rpm servicemesh-proxy-debuginfo-2.1.2-4.el8.s390x.rpm servicemesh-proxy-debugsource-2.1.2-4.el8.s390x.rpm servicemesh-ratelimit-2.1.2-4.el8.s390x.rpm x86_64: servicemesh-2.1.2-4.el8.x86_64.rpm servicemesh-cni-2.1.2-4.el8.x86_64.rpm servicemesh-operator-2.1.2-4.el8.x86_64.rpm servicemesh-pilot-agent-2.1.2-4.el8.x86_64.rpm servicemesh-pilot-discovery-2.1.2-4.el8.x86_64.rpm servicemesh-prometheus-2.23.0-5.el8.x86_64.rpm servicemesh-proxy-2.1.2-4.el8.x86_64.rpm servicemesh-proxy-debuginfo-2.1.2-4.el8.x86_64.rpm servicemesh-proxy-debugsource-2.1.2-4.el8.x86_64.rpm servicemesh-ratelimit-2.1.2-4.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2021-43824 https://access.redhat.com/security/cve/CVE-2021-43825 https://access.redhat.com/security/cve/CVE-2021-43826 https://access.redhat.com/security/cve/CVE-2022-21654 https://access.redhat.com/security/cve/CVE-2022-21655 https://access.redhat.com/security/cve/CVE-2022-23606 https://access.redhat.com/security/cve/CVE-2022-23635 https://access.redhat.com/security/cve/CVE-2022-24726 https://access.redhat.com/security/updates/classification/#important 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYk9i79zjgjWX9erEAQjuVhAApy3V/Yiv9yk1unHpIrSBmDXYpaLQQ3Pl vl/hOBmH2JeUdlEaeGkRlxw3/WyXjjEHdcRfKaVRn5fevZfbbxQ0ddOjB1wgouWI 5Ct+HVWtkmfvCfr+LbXeLFwPrm31cvnjU4M2rQQqzjroTWHZHXsYHtYEVGVqoD3V TNSapRJcap3rkb5Y/SkOGoe0RRiD9+zGglXAuljJEeFE9u1OFnrqShCyhUixh/qm s/s12ISr2HbiX71zJ470EC8xpZOv/tGNnfo8mb/tqDYTzTzKzNg+g4rcy7864PES f1FscWQxyZtbOxGVeg0Zq1nGEvadb8Sb0J0jz4lmcEyMJ95LHbuSUn1Ss0wZd6hs yrbBW4HuQjNh934YDwd95WBWcPdDPdKF4UZ9NYwtQvek0eIDD6ZDIJ8dRUIK7Tyr 5tdyMwIvpSCW4qdqTRnvma7VGZH+ZVS9y8BIAxH0Pg8PiRaiarv+7/aWM8ek42lE k3LdHFCWs9XCgPhF+iT08m/7bs3sl0y9/kP8EEVWlKbJWY/wFoVEJNAiR42HLBWC k1W5YLwzdrrykuYRJs5TlwrYGTvOrW80YtpiAtitDtiU0VJlV7WHGXHBT9LFr8Cv KGun1Upr1qGzsxl1R2x5UUKEvqE16F6DOIxdYaOIWxoraQTtdylohOMHeN+SQWy2 aGv7DRKOjag= =u1Qv -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce