-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh 2.2.9 security update Advisory ID: RHSA-2023:4623-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2023:4623 Issue date: 2023-08-11 CVE Names: CVE-2023-27487 CVE-2023-27488 CVE-2023-27491 CVE-2023-27492 CVE-2023-27493 CVE-2023-27496 ===================================================================== 1. Summary: Red Hat OpenShift Service Mesh 2.2.9 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. Security Fix(es): * envoy: Client may fake the header `x-envoy-original-path` (CVE-2023-27487) * envoy: envoy doesn't escape HTTP header values (CVE-2023-27493) * envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received (CVE-2023-27488) * envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream (CVE-2023-27491) * envoy: Crash when a large request body is processed in Lua filter (CVE-2023-27492) * envoy: Crash when a redirect url without a state param is received in the oauth filter (CVE-2023-27496) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2179135 - CVE-2023-27487 envoy: Client may fake the header `x-envoy-original-path` 2179138 - CVE-2023-27491 envoy: Envoy forwards invalid HTTP/2 and HTTP/3 downstream 2179139 - CVE-2023-27492 envoy: Crash when a large request body is processed in Lua filter 2182155 - CVE-2023-27496 envoy: Crash when a redirect url without a state param is received in the oauth filter 2182156 - CVE-2023-27488 envoy: gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received 2182158 - CVE-2023-27493 envoy: envoy doesn't escape HTTP header values 5. References: https://access.redhat.com/security/cve/CVE-2023-27487 https://access.redhat.com/security/cve/CVE-2023-27488 https://access.redhat.com/security/cve/CVE-2023-27491 https://access.redhat.com/security/cve/CVE-2023-27492 https://access.redhat.com/security/cve/CVE-2023-27493 https://access.redhat.com/security/cve/CVE-2023-27496 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk1pfaAAoJENzjgjWX9erE16UP/Az3YBHc2BsjRSY0/48IyI49 PZ8yFpBCQMocY7dnts48iFeeVZtQlFruLzOOvGWvaKyPCSiyC0XtTg/6sw71XCaf bpOsMXNV75ggf0tTO6JEgGqD326pdOnYqXMUfBnxvgtqQ/Ej1kyGCig+c7bEcvB0 l0m4NsAo224h8U33fnOPbgP/m/0elWCTcZbOUBLd+qRqwE9edZX4Chd+3l3pq5kg zJHLKHui/q+dAIqgsoK6CznTglUXuFQlYpu+vlAomrMGED7kx3t7QgttmhlL7krl rKIBgJml3nottyavLGmdCBiuklBlcNNV6LHZNkIEaIaH7Hlgbcb0AWHcOr97KXxQ K1ZpIdNOX0IDgltC3cGWbmiNmM45KSWKjCTUKXPiD0jlIxbuDIrqT25tOlNw4nRa R4hoiJUvUBl33zcg0q1JZmr9iYA7kKmrQUTgjMaFersmaeVaALBsmwdmTasaAsC0 jdNzrbRB2JCnozPUphYff6Zc0iIKKPmMKtAWDzdyor0eQ+7sPfXNyND2WC5OQtVS oLK/juc7CxQkMhOI09goLFMSUEO7czvKzdr5rzG8s1D7JHNtPLlCy2D0X4jAXIKD Ca53KIpxVrEUpmrApFvZscITKSyEGt0pouxEh2mFU6Op1ZcnONOeDXz7+KVfQTZZ 3+soC5oF43vm3/r9KJAz =xctn -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce