-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh 2.0.9 security update Advisory ID: RHSA-2022:1276-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2022:1276 Issue date: 2022-04-07 CVE Names: CVE-2020-28851 CVE-2020-28852 CVE-2021-3121 CVE-2021-3749 CVE-2021-29482 CVE-2021-29923 CVE-2021-36221 CVE-2021-43565 CVE-2021-43824 CVE-2021-43825 CVE-2021-43826 CVE-2022-21654 CVE-2022-21655 CVE-2022-23606 CVE-2022-23635 CVE-2022-24726 ===================================================================== 1. Summary: Red Hat OpenShift Service Mesh 2.0.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: 2.0 - ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) * envoy: Incorrect configuration handling allows mTLS session re-use without re-validation (CVE-2022-21654) * envoy: Incorrect handling of internal redirects to routes with a direct response entry (CVE-2022-21655) * istio: Unauthenticated control plane denial of service attack due to stack exhaustion (CVE-2022-24726) * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749) * ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482) * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221) * golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565) * envoy: Null pointer dereference when using JWT filter safe_regex match (CVE-2021-43824) * envoy: Use-after-free when response filters increase response data (CVE-2021-43825) * envoy: Use-after-free when tunneling TCP over HTTP (CVE-2021-43826) * envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service (CVE-2022-23606) * istio: unauthenticated control plane denial of service attack (CVE-2022-23635) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh release notes provide information on the features and known issues: https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic 2050744 - CVE-2021-43824 envoy: Null pointer dereference when using JWT filter safe_regex match 2050746 - CVE-2021-43825 envoy: Use-after-free when response filters increase response data 2050748 - CVE-2021-43826 envoy: Use-after-free when tunneling TCP over HTTP 2050753 - CVE-2022-21654 envoy: Incorrect configuration handling allows mTLS session re-use without re-validation 2050757 - CVE-2022-21655 envoy: Incorrect handling of internal redirects to routes with a direct response entry 2050758 - CVE-2022-23606 envoy: Stack exhaustion when a cluster is deleted via Cluster Discovery Service 2057277 - CVE-2022-23635 istio: unauthenticated control plane denial of service attack 2061638 - CVE-2022-24726 istio: Unauthenticated control plane denial of service attack due to stack exhaustion 6. Package List: 2.0: Source: kiali-v1.24.7.redhat1-1.el8.src.rpm servicemesh-2.0.9-3.el8.src.rpm servicemesh-cni-2.0.9-3.el8.src.rpm servicemesh-operator-2.0.9-3.el8.src.rpm servicemesh-prometheus-2.14.0-16.el8.1.src.rpm servicemesh-proxy-2.0.9-3.el8.src.rpm ppc64le: kiali-v1.24.7.redhat1-1.el8.ppc64le.rpm servicemesh-2.0.9-3.el8.ppc64le.rpm servicemesh-cni-2.0.9-3.el8.ppc64le.rpm servicemesh-istioctl-2.0.9-3.el8.ppc64le.rpm servicemesh-mixc-2.0.9-3.el8.ppc64le.rpm servicemesh-mixs-2.0.9-3.el8.ppc64le.rpm servicemesh-operator-2.0.9-3.el8.ppc64le.rpm servicemesh-pilot-agent-2.0.9-3.el8.ppc64le.rpm servicemesh-pilot-discovery-2.0.9-3.el8.ppc64le.rpm servicemesh-prometheus-2.14.0-16.el8.1.ppc64le.rpm servicemesh-proxy-2.0.9-3.el8.ppc64le.rpm s390x: kiali-v1.24.7.redhat1-1.el8.s390x.rpm servicemesh-2.0.9-3.el8.s390x.rpm servicemesh-cni-2.0.9-3.el8.s390x.rpm servicemesh-istioctl-2.0.9-3.el8.s390x.rpm servicemesh-mixc-2.0.9-3.el8.s390x.rpm servicemesh-mixs-2.0.9-3.el8.s390x.rpm servicemesh-operator-2.0.9-3.el8.s390x.rpm servicemesh-pilot-agent-2.0.9-3.el8.s390x.rpm servicemesh-pilot-discovery-2.0.9-3.el8.s390x.rpm servicemesh-prometheus-2.14.0-16.el8.1.s390x.rpm servicemesh-proxy-2.0.9-3.el8.s390x.rpm x86_64: kiali-v1.24.7.redhat1-1.el8.x86_64.rpm servicemesh-2.0.9-3.el8.x86_64.rpm servicemesh-cni-2.0.9-3.el8.x86_64.rpm servicemesh-istioctl-2.0.9-3.el8.x86_64.rpm servicemesh-mixc-2.0.9-3.el8.x86_64.rpm servicemesh-mixs-2.0.9-3.el8.x86_64.rpm servicemesh-operator-2.0.9-3.el8.x86_64.rpm servicemesh-pilot-agent-2.0.9-3.el8.x86_64.rpm servicemesh-pilot-discovery-2.0.9-3.el8.x86_64.rpm servicemesh-prometheus-2.14.0-16.el8.1.x86_64.rpm servicemesh-proxy-2.0.9-3.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-28851 https://access.redhat.com/security/cve/CVE-2020-28852 https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-3749 https://access.redhat.com/security/cve/CVE-2021-29482 https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-36221 https://access.redhat.com/security/cve/CVE-2021-43565 https://access.redhat.com/security/cve/CVE-2021-43824 https://access.redhat.com/security/cve/CVE-2021-43825 https://access.redhat.com/security/cve/CVE-2021-43826 https://access.redhat.com/security/cve/CVE-2022-21654 https://access.redhat.com/security/cve/CVE-2022-21655 https://access.redhat.com/security/cve/CVE-2022-23606 https://access.redhat.com/security/cve/CVE-2022-23635 https://access.redhat.com/security/cve/CVE-2022-24726 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYk9i6NzjgjWX9erEAQjAEhAAmnMX+Vmxv+BfSR/1KoiT5lCYoO0yCwR3 L2bDIAzohd4RaxbTxTRGGg0ibXB22Helse0hfroV/ZVQDhEcVg07QDwB7bdHknz6 hD1YtqBPLY93Vt2bvUq3XQNpv/hcxK9zngW0j4IeB4kRb0TbIz41yb+0SAKHmHqG KkcyqHeUvh/N02Rp4Ylk+B+Rcjfwwu3KJToUl+YwoajitIiu7np7qkftQ5s+uO2u nuxXdSm67L/WiaCq+LBLJpxk7zmZVtq3kTkqiokHFlSpS9NJCMDWvhpbXG1owkiV du9kUoZYa1hAIonX/URZ7HtOgwBOfaa9Jo0vwLp1GkCZEN389mo7+SkM1A/WGsdN rPwS2pe6HNNqSORHM9aoygraBTZeYyzSTCnVIRIggDbCb8DfG+WdITIEM/Jk9UFS +WSSDbJ9oVNPZtXqImtqxT+0FKHdk9My0UWWpJci3XeV6zL7+1ApcPTib7Y0sbRi XBxeV7THZdyiNHk49xE6i96z5QJFkRL/VCgBx3CaiHVqOAv27cR3O6MrP904utyh f3zUPSYIezvUgq65D13XZTruitBd4wMDTPpCqpsBM5JzLoyObKoU/KIr7oasJkbM 5gKHsNsszEfYgaqFmkao55xHHrZLt7x+WaF6dAttUAbl6AalJmEY3C9UcHYIZlGa 8V4YhC5zIXU= =/fvC -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce